---
title: AWS
url: /docs/reference/pre-built-policy-packs/cmmc/aws/
---This page lists all 54 policies in the **CMMC 2.0** pack for **AWS**, as published in `cmmc-aws` version `1.0.2`.

## Policies by control

**AC.L1-3.1.1 Limit system access to authorized users** — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

- [ec2-instance-disallow-public-ip](#ec2-instance-disallow-public-ip)
- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**AC.L1-3.1.2 Limit system access to authorized transaction types** — Limit system access to the types of transactions and functions that authorized users are permitted to execute.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)
- [s3-bucket-least-privilege](#s3-bucket-least-privilege)

**AC.L2-3.1.3 Control the flow of CUI** — Control the flow of CUI in accordance with approved authorizations.

- [security-group-strict](#security-group-strict)
- [vpc-flow-logs](#vpc-flow-logs)

**AC.L2-3.1.4 Separate the duties of individuals** — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)
- [pubsub-least-privilege-iam](#pubsub-least-privilege-iam)
- [s3-bucket-least-privilege](#s3-bucket-least-privilege)

**AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions** — Use non-privileged accounts or roles when accessing nonsecurity functions.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions** — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**AC.L2-3.1.11 Terminate user sessions after inactivity** — Terminate (automatically) a user session after a defined condition.

- [iam-role-session-duration](#iam-role-session-duration)

**AC.L2-3.1.12 Monitor and control remote access sessions** — Monitor and control remote access sessions.

- [vpc-flow-logs](#vpc-flow-logs)

**AC.L2-3.1.13 Employ cryptographic mechanisms for remote access** — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

- [elb-load-balancer-disallow-unencrypted-traffic](#elb-load-balancer-disallow-unencrypted-traffic)
- [rds-clusterinstance-ssl-encryption](#rds-clusterinstance-ssl-encryption)

**AC.L2-3.1.15 Authorize remote execution of privileged commands** — Authorize remote execution of privileged commands and remote access to security-relevant information.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**AC.L2-3.1.22 Control CUI on publicly accessible systems** — Control CUI posted or processed on publicly accessible systems.

- [ec2-instance-disallow-public-ip](#ec2-instance-disallow-public-ip)
- [rds-instance-disallow-public-access](#rds-instance-disallow-public-access)
- [s3-bucket-public-access-block](#s3-bucket-public-access-block)

**AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

- [api-gateway-access-logging](#api-gateway-access-logging)
- [api-gateway-v2-access-logging](#api-gateway-v2-access-logging)
- [dynamodb-streams-enabled](#dynamodb-streams-enabled)
- [lambda-function-logging](#lambda-function-logging)
- [rds-audit-logging](#rds-audit-logging)
- [s3-bucket-access-logging](#s3-bucket-access-logging)
- [vpc-flow-logs](#vpc-flow-logs)

**AU.L2-3.3.9 Limit audit logging management to privileged users** — Limit management of audit logging functionality to a subset of privileged users.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**CM.L1-3.4.2 Establish and enforce security configuration settings** — Establish and enforce security configuration settings for information technology products employed in organizational systems.

- [docdb-clusterinstance-managed-service-patching](#docdb-clusterinstance-managed-service-patching)
- [rds-instance-managed-service-patching](#rds-instance-managed-service-patching)

**CM.L2-3.4.3 Track and log configuration changes** — Track, review, approve or disapprove, and log changes to organizational systems.

- [dynamodb-streams-enabled](#dynamodb-streams-enabled)

**CM.L2-3.4.5 Define access restrictions for system changes** — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**CM.L2-3.4.6 Employ principle of least functionality** — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

- [security-group-default-deny](#security-group-default-deny)
- [security-group-strict](#security-group-strict)

**CM.L2-3.4.7 Restrict nonessential programs and services** — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

- [ec2-security-group-disallow-inbound-http-traffic](#ec2-security-group-disallow-inbound-http-traffic)
- [security-group-strict](#security-group-strict)

**IA.L1-3.5.1 Identify system users and devices** — Identify system users, processes acting on behalf of users, and devices.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**IA.L1-3.5.2 Authenticate identities of users and devices** — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

- [iam-role-assume-role-mfa-enforcement](#iam-role-assume-role-mfa-enforcement)
- [iam-user-mfa-console-access](#iam-user-mfa-console-access)

**IA.L2-3.5.3 Use multifactor authentication** — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

- [iam-role-assume-role-mfa-enforcement](#iam-role-assume-role-mfa-enforcement)
- [iam-user-mfa-console-access](#iam-user-mfa-console-access)

**IA.L2-3.5.7 Enforce minimum password complexity** — Enforce a minimum password complexity and change of characters when new passwords are created.

- [iam-password-policy-minimum-password-length](#iam-password-policy-minimum-password-length)

**IA.L2-3.5.8 Prohibit password reuse** — Prohibit password reuse for a specified number of generations.

- [iam-password-policy-prevent-reuse](#iam-password-policy-prevent-reuse)

**MA.L1-3.7.1 Perform system maintenance** — Perform maintenance on organizational systems.

- [docdb-clusterinstance-managed-service-patching](#docdb-clusterinstance-managed-service-patching)
- [rds-instance-managed-service-patching](#rds-instance-managed-service-patching)

**MA.L1-3.7.2 Provide controls on maintenance tools and personnel** — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

- [iam-policy-least-privilege](#iam-policy-least-privilege)
- [iam-role-least-privilege](#iam-role-least-privilege)
- [iam-role-policy-least-privilege](#iam-role-policy-least-privilege)
- [iam-user-policy-least-privilege](#iam-user-policy-least-privilege)

**MA.L2-3.7.5 Require MFA for nonlocal maintenance** — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

- [iam-role-assume-role-mfa-enforcement](#iam-role-assume-role-mfa-enforcement)

**MP.L1-3.8.1 Protect system media containing CUI** — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

- [ebs-volume-disallow-unencrypted-volume](#ebs-volume-disallow-unencrypted-volume)
- [s3-bucket-encryption](#s3-bucket-encryption)

**MP.L1-3.8.2 Limit access to CUI on system media** — Limit access to CUI on system media to authorized users.

- [s3-bucket-least-privilege](#s3-bucket-least-privilege)
- [s3-bucket-public-access-block](#s3-bucket-public-access-block)

**MP.L1-3.8.3 Sanitize or destroy system media before disposal** — Sanitize or destroy system media containing CUI before disposal or release for reuse.

- [s3-bucket-lifecycle](#s3-bucket-lifecycle)

**MP.L2-3.8.4 Mark media with CUI markings** — Mark media with necessary CUI markings and distribution limitations.

- [environment-separation-tagging](#environment-separation-tagging)
- [resource-tagging](#resource-tagging)

**MP.L2-3.8.9 Protect confidentiality of backup CUI** — Protect the confidentiality of backup CUI at storage locations.

- [rds-instance-disallow-unencrypted-storage](#rds-instance-disallow-unencrypted-storage)
- [s3-bucket-encryption](#s3-bucket-encryption)

**RA.L2-3.11.2 Scan for vulnerabilities** — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

- [ecr-image-scanning](#ecr-image-scanning)
- [ecr-repository-enable-image-scan](#ecr-repository-enable-image-scan)
- [ecs-task-definition-image-scanning](#ecs-task-definition-image-scanning)

**RA.L2-3.11.3 Remediate vulnerabilities** — Remediate vulnerabilities in accordance with risk assessments.

- [docdb-clusterinstance-managed-service-patching](#docdb-clusterinstance-managed-service-patching)
- [rds-instance-managed-service-patching](#rds-instance-managed-service-patching)

**SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

- [api-gateway-waf-association](#api-gateway-waf-association)
- [appsync-waf-association](#appsync-waf-association)
- [cloudfront-waf-association](#cloudfront-waf-association)
- [load-balancer-waf-association](#load-balancer-waf-association)
- [security-group-strict](#security-group-strict)
- [vpc-flow-logs](#vpc-flow-logs)
- [waf-association-validation](#waf-association-validation)

**SC.L1-3.13.2 Employ architectural designs promoting security** — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

- [subnet-multi-az](#subnet-multi-az)
- [vpc-endpoint-security-policy](#vpc-endpoint-security-policy)

**SC.L2-3.13.5 Implement subnetworks for publicly accessible components** — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

- [vpc-subnet-flow-logs](#vpc-subnet-flow-logs)

**SC.L2-3.13.6 Deny network traffic by default** — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

- [security-group-default-deny](#security-group-default-deny)
- [security-group-strict](#security-group-strict)

**SC.L2-3.13.8 Implement cryptographic mechanisms for transmission** — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

- [cloudfront-distribution-disallow-unencrypted-traffic](#cloudfront-distribution-disallow-unencrypted-traffic)
- [elb-load-balancer-disallow-unencrypted-traffic](#elb-load-balancer-disallow-unencrypted-traffic)
- [rds-clusterinstance-ssl-encryption](#rds-clusterinstance-ssl-encryption)

**SC.L2-3.13.10 Establish and manage cryptographic keys** — Establish and manage cryptographic keys for cryptography employed in organizational systems.

- [kms-key-creation](#kms-key-creation)
- [kms-key-deletion-lifecycle](#kms-key-deletion-lifecycle)
- [kms-key-enable-key-rotation](#kms-key-enable-key-rotation)

**SC.L2-3.13.11 Employ FIPS-validated cryptography** — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

- [kms-key-creation](#kms-key-creation)
- [s3-bucket-encryption](#s3-bucket-encryption)

**SC.L2-3.13.15 Protect authenticity of communications sessions** — Protect the authenticity of communications sessions.

- [api-gateway-authorization](#api-gateway-authorization)
- [elb-load-balancer-disallow-unencrypted-traffic](#elb-load-balancer-disallow-unencrypted-traffic)

**SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

- [ebs-volume-disallow-unencrypted-volume](#ebs-volume-disallow-unencrypted-volume)
- [efs-file-system-disallow-unencrypted-file-system](#efs-file-system-disallow-unencrypted-file-system)
- [lambda-environment-variables-encryption](#lambda-environment-variables-encryption)
- [rds-instance-disallow-unencrypted-storage](#rds-instance-disallow-unencrypted-storage)
- [s3-bucket-encryption](#s3-bucket-encryption)
- [secrets-manager-secret-configure-customer-managed-key](#secrets-manager-secret-configure-customer-managed-key)

**SI.L1-3.14.1 Identify and correct system flaws** — Identify, report, and correct system flaws in a timely manner.

- [ecr-repository-enable-image-scan](#ecr-repository-enable-image-scan)
- [rds-instance-managed-service-patching](#rds-instance-managed-service-patching)

**SI.L1-3.14.2 Provide protection from malicious code** — Provide protection from malicious code at designated locations within organizational systems.

- [anti-malware-edr](#anti-malware-edr)

**SI.L2-3.14.5 Perform periodic and real-time scans** — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

- [ecr-image-scanning](#ecr-image-scanning)
- [ecr-repository-enable-image-scan](#ecr-repository-enable-image-scan)
- [ecs-task-definition-image-scanning](#ecs-task-definition-image-scanning)

**SI.L2-3.14.6 Monitor systems to detect attacks** — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

- [vpc-flow-logs](#vpc-flow-logs)
- [vpc-subnet-flow-logs](#vpc-subnet-flow-logs)

## Policy details

### anti-malware-edr

**Severity:** high · **Enforcement:** advisory

Ensures EC2 instances have anti-malware/EDR agents deployed

- **SI.L1-3.14.2 Provide protection from malicious code** — Provide protection from malicious code at designated locations within organizational systems.

Remediation

##### Fix: Deploy Anti-Malware/EDR Agent via User Data

Include anti-malware or EDR agent installation commands in the instance's userData:

```typescript
const instance = new aws.ec2.Instance("protected-instance", {
    instanceType: "t3.medium",
    ami: "ami-0c55b159cbfafe1f0",
    userData: "#!/bin/bash\nyum install -y amazon-ssm-agent\nsystemctl enable amazon-ssm-agent\nsystemctl start amazon-ssm-agent", // Install SSM agent
    subnetId: subnet.id,
});
```

### api-gateway-access-logging

**Severity:** medium · **Enforcement:** advisory

Ensures API Gateway stages have access logging enabled

- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Remediation

##### Fix: Enable Access Logging for API Gateway Stage

Configure the `accessLogSettings` property with a CloudWatch Log Group ARN to enable comprehensive audit logging:

```typescript
const logGroup = new aws.cloudwatch.LogGroup("api-logs", {
    retentionInDays: 30,
});

const stage = new aws.apigateway.Stage("my-stage", {
    restApi: api.id,
    stageName: "prod",
    deployment: deployment.id,
    accessLogSettings: { // Enable access logging
        destinationArn: logGroup.arn, // Specify CloudWatch Log Group
        format: "$context.requestId",
    },
});
```

### api-gateway-authorization

**Severity:** high · **Enforcement:** advisory

Ensures API Gateway methods use strong authorization instead of NONE

- **SC.L2-3.13.15 Protect authenticity of communications sessions** — Protect the authenticity of communications sessions.

Remediation

##### Fix: Enable Strong Authorization for API Gateway Method

Set the `authorization` property to a strong authorization type (AWS_IAM, COGNITO_USER_POOLS, CUSTOM, or JWT) instead of "NONE":

```typescript
const method = new aws.apigateway.Method("my-method", {
    restApi: api.id,
    resourceId: resource.id,
    httpMethod: "GET",
    authorization: "AWS_IAM", // Use strong authorization instead of "NONE"
    // For CUSTOM authorization, also specify the authorizer:
    // authorizerId: authorizer.id,
});
```

### api-gateway-v2-access-logging

**Severity:** medium · **Enforcement:** advisory

Ensures API Gateway V2 stages have access logging enabled

- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Remediation

##### Fix: Enable Access Logging for API Gateway V2 Stage

Configure the `accessLogSettings` property with a CloudWatch Log Group ARN to enable comprehensive audit logging:

```typescript
const logGroup = new aws.cloudwatch.LogGroup("api-v2-logs", {
    retentionInDays: 30,
});

const stage = new aws.apigatewayv2.Stage("my-stage", {
    apiId: api.id,
    name: "prod",
    accessLogSettings: { // Enable access logging
        destinationArn: logGroup.arn, // Specify CloudWatch Log Group
        format: "$context.requestId",
    },
});
```

### api-gateway-waf-association

**Severity:** critical · **Enforcement:** advisory

Ensures public-facing API Gateways have WAF associations

- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Remediation

##### Fix: Associate WAF Web ACL with API Gateway Stage

Create a WAF Web ACL association for your API Gateway stage:

```typescript
// Create a WAF Web ACL association for the API Gateway stage
const wafAssociation = new aws.wafv2.WebAclAssociation("api-waf-association", {
    resourceArn: pulumi.interpolate`arn:aws:apigateway:${region}::/restapis/${restApi.id}/stages/${stage.stageName}`, // Stage ARN
    webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
});
```

### appsync-waf-association

**Severity:** critical · **Enforcement:** advisory

Ensures public-facing AppSync GraphQL APIs have WAF associations

- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Remediation

##### Fix: Associate WAF Web ACL with AppSync GraphQL API

Create a WAF Web ACL association to protect your AppSync GraphQL API:

```typescript
// Create a WAF Web ACL association for the AppSync GraphQL API
const wafAssociation = new aws.wafv2.WebAclAssociation("appsync-waf-association", {
    resourceArn: graphqlApi.arn, // Reference the GraphQL API ARN
    webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
});
```

### cloudfront-distribution-disallow-unencrypted-traffic

**Severity:** critical · **Enforcement:** advisory

Checks that CloudFront distributions only allow encypted ingress traffic.

- **SC.L2-3.13.8 Implement cryptographic mechanisms for transmission** — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Remediation

##### Fix: Enforce HTTPS for CloudFront Distribution

Set the `viewerProtocolPolicy` to "redirect-to-https" or "https-only" for both default and ordered cache behaviors to ensure all traffic is encrypted:

```typescript
const distribution = new cloudfront.Distribution("my-distribution", {
    enabled: true,
    defaultCacheBehavior: {
        targetOriginId: origin.originId,
        viewerProtocolPolicy: "redirect-to-https", // Enforce HTTPS for all traffic
        allowedMethods: ["GET", "HEAD"],
        cachedMethods: ["GET", "HEAD"],
        forwardedValues: {
            queryString: false,
            cookies: { forward: "none" },
        },
    },
    orderedCacheBehaviors: [{
        pathPattern: "/api/*",
        targetOriginId: origin.originId,
        viewerProtocolPolicy: "https-only", // Enforce HTTPS-only for API paths
        allowedMethods: ["GET", "HEAD", "OPTIONS"],
        cachedMethods: ["GET", "HEAD"],
        forwardedValues: {
            queryString: true,
            cookies: { forward: "none" },
        },
    }],
    origins: [origin],
    viewerCertificate: {
        cloudfrontDefaultCertificate: true,
    },
});
```

### cloudfront-waf-association

**Severity:** critical · **Enforcement:** advisory

Ensures CloudFront distributions have WAF associations

- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Remediation

##### Fix: Associate WAF Web ACL with CloudFront Distribution

Set the `webAclId` property to associate your CloudFront distribution with a WAF Web ACL:

```typescript
const distribution = new aws.cloudfront.Distribution("my-distribution", {
    enabled: true,
    webAclId: webAcl.arn, // Associate the WAF Web ACL with the distribution
    origins: [{
        domainName: bucket.bucketRegionalDomainName,
        originId: "S3Origin",
    }],
    defaultCacheBehavior: {
        targetOriginId: "S3Origin",
        viewerProtocolPolicy: "redirect-to-https",
        allowedMethods: ["GET", "HEAD"],
        cachedMethods: ["GET", "HEAD"],
        forwardedValues: {
            queryString: false,
            cookies: { forward: "none" },
        },
    },
});
```

### docdb-clusterinstance-managed-service-patching

**Severity:** medium · **Enforcement:** advisory

Ensures DocumentDB cluster instances have automated minor version upgrades enabled

- **CM.L1-3.4.2 Establish and enforce security configuration settings** — Establish and enforce security configuration settings for information technology products employed in organizational systems.
- **MA.L1-3.7.1 Perform system maintenance** — Perform maintenance on organizational systems.
- **RA.L2-3.11.3 Remediate vulnerabilities** — Remediate vulnerabilities in accordance with risk assessments.

Remediation

##### Fix: Enable Automatic Minor Version Upgrades for DocumentDB Cluster Instance

Set the `autoMinorVersionUpgrade` property to `true` to enable automated patching for managed service security updates:

```typescript
const clusterInstance = new aws.docdb.ClusterInstance("my-cluster-instance", {
    clusterIdentifier: cluster.id,
    instanceClass: "db.r5.large",
    autoMinorVersionUpgrade: true, // Enable automatic minor version upgrades
});
```

### dynamodb-streams-enabled

**Severity:** medium · **Enforcement:** advisory

Enforces that all DynamoDB tables have Stream settings enabled to capture all changes

- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- **CM.L2-3.4.3 Track and log configuration changes** — Track, review, approve or disapprove, and log changes to organizational systems.

Remediation

##### Fix: Enable DynamoDB Streams

Set the `streamEnabled` property to true on your DynamoDB table:

```typescript
const table = new aws.dynamodb.Table("my-table", {
    name: "my-table",
    attributes: [
        { name: "id", type: "S" },
    ],
    hashKey: "id",
    streamEnabled: true, // Enable DynamoDB Streams
    billingMode: "PAY_PER_REQUEST",
});
```

### ebs-volume-disallow-unencrypted-volume

**Severity:** high · **Enforcement:** advisory

Checks that EBS volumes are encrypted.

- **MP.L1-3.8.1 Protect system media containing CUI** — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- **SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

Remediation

##### Fix: Enable EBS Volume Encryption

Set the `encrypted` property to `true` on the EBS volume:

```typescript
const volume = new aws.ebs.Volume("my-volume", {
    availabilityZone: "us-west-2a",
    size: 100,
    encrypted: true, // Enable encryption for the volume
});
```

### ec2-instance-disallow-public-ip

**Severity:** high · **Enforcement:** advisory

Checks that EC2 instances do not have a public IP address.

- **AC.L1-3.1.1 Limit system access to authorized users** — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- **AC.L2-3.1.22 Control CUI on publicly accessible systems** — Control CUI posted or processed on publicly accessible systems.

Remediation

##### Fix: Disable Public IP Address Assignment

Set `associatePublicIpAddress` to `false` to prevent the instance from receiving a public IP address:

```typescript
const instance = new ec2.Instance("my-instance", {
    instanceType: "t3.micro",
    ami: "ami-12345678",
    associatePublicIpAddress: false, // Disable public IP assignment
    subnetId: privateSubnet.id,
});
```

### ec2-security-group-disallow-inbound-http-traffic

**Severity:** medium · **Enforcement:** advisory

Check that EC2 Security Groups do not allow inbound HTTP traffic.

- **CM.L2-3.4.7 Restrict nonessential programs and services** — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Remediation

##### Fix: Remove HTTP Inbound Traffic Rules

Remove any ingress rules that allow HTTP traffic on port 80, or use HTTPS (port 443) instead:

```typescript
const securityGroup = new ec2.SecurityGroup("my-sg", {
    vpcId: vpc.id,
    ingress: [
        {
            protocol: "tcp",
            fromPort: 443, // Use HTTPS instead of HTTP (port 80)
            toPort: 443,
            cidrBlocks: ["0.0.0.0/0"],
        },
        // Remove any rules with fromPort: 80 or toPort: 80
    ],
});
```

### ecr-image-scanning

**Severity:** high · **Enforcement:** advisory

Ensures ECR repositories have image scanning enabled for vulnerability management

- **RA.L2-3.11.2 Scan for vulnerabilities** — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- **SI.L2-3.14.5 Perform periodic and real-time scans** — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

Remediation

##### Fix: Enable Image Scanning for ECR Repository

Set the `imageScanningConfiguration` with `scanOnPush: true` to automatically scan container images for vulnerabilities when they are pushed:

```typescript
const repository = new aws.ecr.Repository("my-repo", {
    name: "my-application",
    imageScanningConfiguration: {
        scanOnPush: true, // Enable automatic vulnerability scanning
    },
});
```

### ecr-repository-enable-image-scan

**Severity:** high · **Enforcement:** advisory

Checks that ECR repositories have 'scan-on-push' enabled.

- **RA.L2-3.11.2 Scan for vulnerabilities** — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- **SI.L1-3.14.1 Identify and correct system flaws** — Identify, report, and correct system flaws in a timely manner.
- **SI.L2-3.14.5 Perform periodic and real-time scans** — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

Remediation

##### Fix: Enable Scan-on-Push for ECR Repository

Set `scanOnPush` to `true` in the `imageScanningConfiguration` to automatically scan container images for vulnerabilities when pushed:

```typescript
const repository = new aws.ecr.Repository("my-repository", {
    imageScanningConfiguration: {
        scanOnPush: true, // Enable automatic vulnerability scanning
    },
});
```

### ecs-task-definition-image-scanning

**Severity:** high · **Enforcement:** advisory

Ensures ECS task definitions use images from repositories with vulnerability scanning

- **RA.L2-3.11.2 Scan for vulnerabilities** — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- **SI.L2-3.14.5 Perform periodic and real-time scans** — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

Remediation

##### Fix: Use ECR Images with Scanning Enabled

Update your ECS task definition to use container images from ECR repositories that have vulnerability scanning enabled:

```typescript
const taskDefinition = new aws.ecs.TaskDefinition("my-task", {
    family: "my-app",
    containerDefinitions: JSON.stringify([{
        name: "app",
        image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest", // Use ECR image with scanning
        memory: 512,
        cpu: 256,
    }]),
    requiresCompatibilities: ["FARGATE"],
    networkMode: "awsvpc",
    cpu: "256",
    memory: "512",
});
```

### efs-file-system-disallow-unencrypted-file-system

**Severity:** high · **Enforcement:** advisory

Checks that EFS File Systems do not have an unencrypted file system.

- **SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

Remediation

##### Fix: Enable Encryption for EFS File System

Set the `encrypted` property to `true` when creating an EFS file system:

```typescript
const fileSystem = new aws.efs.FileSystem("my-efs", {
    encrypted: true, // Enable encryption at rest
    kmsKeyId: kmsKey.arn, // Optional: specify a custom KMS key
});
```

### elb-load-balancer-disallow-unencrypted-traffic

**Severity:** critical · **Enforcement:** advisory

Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic.

- **AC.L2-3.1.13 Employ cryptographic mechanisms for remote access** — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- **SC.L2-3.13.8 Implement cryptographic mechanisms for transmission** — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
- **SC.L2-3.13.15 Protect authenticity of communications sessions** — Protect the authenticity of communications sessions.

Remediation

##### Fix: Use HTTPS Instead of HTTP for Load Balancer Listeners

Configure all listeners to use HTTPS (port 443) instead of HTTP (port 80) to ensure encrypted traffic:

```typescript
const lb = new aws.elb.LoadBalancer("my-lb", {
    availabilityZones: ["us-west-2a", "us-west-2b"],
    listeners: [{
        instancePort: 443,
        instanceProtocol: "https",
        lbPort: 443,
        lbProtocol: "https", // Use HTTPS instead of HTTP
        sslCertificateId: "arn:aws:iam::123456789012:server-certificate/my-cert",
    }],
});
```

### environment-separation-tagging

**Severity:** medium · **Enforcement:** advisory

Ensures that resources are tagged to distinguish between production and non-production environments

- **MP.L2-3.8.4 Mark media with CUI markings** — Mark media with necessary CUI markings and distribution limitations.

Remediation

##### Fix: Add Environment Tag to Resource

Add an "Environment" tag to the resource with a valid environment value (e.g., production, development, staging, testing):

```typescript
const instance = new aws.ec2.Instance("web-server", {
    instanceType: "t3.micro",
    ami: "ami-12345678",
    tags: {
        "Environment": "production", // Add environment tag for proper separation
        "Name": "web-server",
    },
});
```

### iam-password-policy-minimum-password-length

**Severity:** high · **Enforcement:** advisory

Ensure IAM password policy requires minimum length of 14 or greater.

- **IA.L2-3.5.7 Enforce minimum password complexity** — Enforce a minimum password complexity and change of characters when new passwords are created.

Remediation

##### Fix: Set Minimum Password Length to 14 Characters

Set the `minimumPasswordLength` to 14 or greater for the IAM Account Password Policy:

```typescript
const passwordPolicy = new aws.iam.AccountPasswordPolicy("account-password-policy", {
    minimumPasswordLength: 14, // Set minimum length to at least 14 characters
});
```

### iam-password-policy-prevent-reuse

**Severity:** high · **Enforcement:** advisory

Ensure IAM password policy prevents password reuse.

- **IA.L2-3.5.8 Prohibit password reuse** — Prohibit password reuse for a specified number of generations.

Remediation

##### Fix: Configure Password Reuse Prevention

Set the `passwordReusePrevention` property to 24 to prevent users from reusing their previous 24 passwords:

```typescript
const accountPasswordPolicy = new aws.iam.AccountPasswordPolicy("password-policy", {
    minimumPasswordLength: 14,
    requireNumbers: true,
    requireSymbols: true,
    requireUppercaseCharacters: true,
    requireLowercaseCharacters: true,
    passwordReusePrevention: 24, // Prevent reuse of previous 24 passwords
});
```

### iam-policy-least-privilege

**Severity:** high · **Enforcement:** advisory

Ensures IAM policies follow least privilege principles

- **AC.L1-3.1.1 Limit system access to authorized users** — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- **AC.L1-3.1.2 Limit system access to authorized transaction types** — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- **AC.L2-3.1.4 Separate the duties of individuals** — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- **AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- **AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions** — Use non-privileged accounts or roles when accessing nonsecurity functions.
- **AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions** — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- **AC.L2-3.1.15 Authorize remote execution of privileged commands** — Authorize remote execution of privileged commands and remote access to security-relevant information.
- **AU.L2-3.3.9 Limit audit logging management to privileged users** — Limit management of audit logging functionality to a subset of privileged users.
- **CM.L2-3.4.5 Define access restrictions for system changes** — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- **IA.L1-3.5.1 Identify system users and devices** — Identify system users, processes acting on behalf of users, and devices.
- **MA.L1-3.7.2 Provide controls on maintenance tools and personnel** — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Remediation

##### Fix: Replace Wildcard Permissions with Specific Actions and Resources

Replace wildcard actions and resources with explicit, scoped permissions that grant only the minimum required access:

```typescript
const policy = new aws.iam.Policy("my-policy", {
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "s3:GetObject",        // Specify exact actions needed
                "s3:PutObject",
            ],
            Resource: [
                "arn:aws:s3:::my-bucket/*",  // Scope to specific resources
            ],
        }],
    }),
});
```

### iam-role-assume-role-mfa-enforcement

**Severity:** high · **Enforcement:** advisory

Ensures IAM roles require MFA when assumed by human users (not AWS services)

- **IA.L1-3.5.2 Authenticate identities of users and devices** — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
- **IA.L2-3.5.3 Use multifactor authentication** — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- **MA.L2-3.7.5 Require MFA for nonlocal maintenance** — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Remediation

##### Fix: Add MFA Condition to Role Trust Policy

Add the `aws:MultiFactorAuthPresent` condition to any assume role statement that allows human principals to assume the role:

```typescript
const adminRole = new aws.iam.Role("admin-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:root" // Root account (human)
            },
            Action: "sts:AssumeRole",
            Condition: {
                Bool: {
                    "aws:MultiFactorAuthPresent": "true" // Require MFA
                }
            }
        }],
    }),
});

const userAssumeRole = new aws.iam.Role("user-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:user/john.doe" // IAM user (human)
            },
            Action: "sts:AssumeRole",
            Condition: {
                Bool: {
                    "aws:MultiFactorAuthPresent": "true" // Require MFA
                }
            }
        }],
    }),
});

// Service roles are automatically exempt (no MFA condition needed)
const ecsTaskRole = new aws.iam.Role("ecs-task-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "ecs-tasks.amazonaws.com" // Service principal - no MFA needed
            },
            Action: "sts:AssumeRole"
        }],
    }),
});

// Role principals are never flagged (could be cross-account service roles)
const crossAccountRole = new aws.iam.Role("cross-account-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::111111111111:role/service-role" // Role principal - not checked
            },
            Action: "sts:AssumeRole"
        }],
    }),
});
```

### iam-role-least-privilege

**Severity:** high · **Enforcement:** advisory

Ensures IAM roles follow least privilege principles

- **AC.L1-3.1.1 Limit system access to authorized users** — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- **AC.L1-3.1.2 Limit system access to authorized transaction types** — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- **AC.L2-3.1.4 Separate the duties of individuals** — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- **AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- **AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions** — Use non-privileged accounts or roles when accessing nonsecurity functions.
- **AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions** — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- **AC.L2-3.1.15 Authorize remote execution of privileged commands** — Authorize remote execution of privileged commands and remote access to security-relevant information.
- **AU.L2-3.3.9 Limit audit logging management to privileged users** — Limit management of audit logging functionality to a subset of privileged users.
- **CM.L2-3.4.5 Define access restrictions for system changes** — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- **IA.L1-3.5.1 Identify system users and devices** — Identify system users, processes acting on behalf of users, and devices.
- **MA.L1-3.7.2 Provide controls on maintenance tools and personnel** — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Remediation

##### Fix: Replace Wildcard Permissions with Specific Actions and Resources

Replace wildcard actions and resources in inline policies with explicit, scoped permissions:

```typescript
const role = new aws.iam.Role("my-role", {
    assumeRolePolicy: assumePolicyDoc,
    inlinePolicies: [{
        name: "my-inline-policy",
        policy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Action: [
                    "dynamodb:GetItem",    // Specify exact actions needed
                    "dynamodb:PutItem",
                ],
                Resource: [
                    "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable",  // Scope to specific resources
                ],
            }],
        }),
    }],
});
```

### iam-role-policy-least-privilege

**Severity:** high · **Enforcement:** advisory

Ensures IAM role policies follow least privilege principles

- **AC.L1-3.1.1 Limit system access to authorized users** — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- **AC.L1-3.1.2 Limit system access to authorized transaction types** — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- **AC.L2-3.1.4 Separate the duties of individuals** — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- **AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- **AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions** — Use non-privileged accounts or roles when accessing nonsecurity functions.
- **AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions** — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- **AC.L2-3.1.15 Authorize remote execution of privileged commands** — Authorize remote execution of privileged commands and remote access to security-relevant information.
- **AU.L2-3.3.9 Limit audit logging management to privileged users** — Limit management of audit logging functionality to a subset of privileged users.
- **CM.L2-3.4.5 Define access restrictions for system changes** — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- **IA.L1-3.5.1 Identify system users and devices** — Identify system users, processes acting on behalf of users, and devices.
- **MA.L1-3.7.2 Provide controls on maintenance tools and personnel** — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Remediation

##### Fix: Replace Wildcard Permissions with Specific Actions and Resources

Replace wildcard actions and resources with explicit, scoped permissions:

```typescript
const rolePolicy = new aws.iam.RolePolicy("my-role-policy", {
    role: myRole.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "ec2:DescribeInstances",   // Specify exact actions needed
                "ec2:StartInstances",
                "ec2:StopInstances",
            ],
            Resource: [
                "arn:aws:ec2:us-east-1:123456789012:instance/*",  // Scope to specific resources
            ],
        }],
    }),
});
```

### iam-role-session-duration

**Severity:** medium · **Enforcement:** advisory

Enforces maximum session duration for IAM roles

- **AC.L2-3.1.11 Terminate user sessions after inactivity** — Terminate (automatically) a user session after a defined condition.

Remediation

##### Fix: Set Appropriate Maximum Session Duration for IAM Role

Configure the `maxSessionDuration` property based on the role type to limit credential exposure window:

```typescript
const appRole = new aws.iam.Role("app-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: { Service: "ec2.amazonaws.com" },
            Action: "sts:AssumeRole",
        }],
    }),
    maxSessionDuration: 3600, // 1 hour for general roles (default)
});

const adminRole = new aws.iam.Role("admin-role", {
    name: "AdminRole",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: { AWS: "arn:aws:iam::123456789012:root" },
            Action: "sts:AssumeRole",
        }],
    }),
    maxSessionDuration: 7200, // 2 hours for administrative roles
});
```

### iam-user-mfa-console-access

**Severity:** high · **Enforcement:** advisory

Ensures IAM users with console access have MFA devices

- **IA.L1-3.5.2 Authenticate identities of users and devices** — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
- **IA.L2-3.5.3 Use multifactor authentication** — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Remediation

##### Fix: Enable MFA for IAM User Console Access

Create a Virtual MFA Device for each IAM user with console access:

```typescript
const user = new aws.iam.User("example-user", {
    name: "example-user",
});

const loginProfile = new aws.iam.UserLoginProfile("example-login", {
    user: user.name,
});

// Create Virtual MFA Device for the user
const mfaDevice = new aws.iam.VirtualMfaDevice("example-user-mfa", {
    virtualMfaDeviceName: "example-user-mfa", // Name must match pattern: <username>-mfa or <username>-mfa-device
    userName: user.name, // Associate MFA device with the user
});
```

### iam-user-policy-least-privilege

**Severity:** high · **Enforcement:** advisory

Ensures IAM user policies follow least privilege principles

- **AC.L1-3.1.1 Limit system access to authorized users** — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- **AC.L1-3.1.2 Limit system access to authorized transaction types** — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- **AC.L2-3.1.4 Separate the duties of individuals** — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- **AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- **AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions** — Use non-privileged accounts or roles when accessing nonsecurity functions.
- **AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions** — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- **AC.L2-3.1.15 Authorize remote execution of privileged commands** — Authorize remote execution of privileged commands and remote access to security-relevant information.
- **AU.L2-3.3.9 Limit audit logging management to privileged users** — Limit management of audit logging functionality to a subset of privileged users.
- **CM.L2-3.4.5 Define access restrictions for system changes** — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- **IA.L1-3.5.1 Identify system users and devices** — Identify system users, processes acting on behalf of users, and devices.
- **MA.L1-3.7.2 Provide controls on maintenance tools and personnel** — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Remediation

##### Fix: Replace Wildcard Permissions with Specific Actions and Resources

Replace wildcard actions and resources with explicit, scoped permissions:

```typescript
const userPolicy = new aws.iam.UserPolicy("my-user-policy", {
    user: myUser.name,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "s3:ListBucket",         // Specify exact actions needed
            ],
            Resource: [
                "arn:aws:s3:::my-bucket",  // Scope to specific resources
            ],
        }],
    }),
});
```

### kms-key-creation

**Severity:** medium · **Enforcement:** advisory

Validates KMS key creation with appropriate specifications and origins

- **SC.L2-3.13.10 Establish and manage cryptographic keys** — Establish and manage cryptographic keys for cryptography employed in organizational systems.
- **SC.L2-3.13.11 Employ FIPS-validated cryptography** — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Remediation

##### Fix: Configure KMS Key with Proper Specifications

Add a description, configure an appropriate deletion window (7-30 days), and ensure key specifications match your security requirements:

```typescript
const key = new aws.kms.Key("my-key", {
    description: "Key for encrypting application data", // Add clear description
    customerMasterKeySpec: "SYMMETRIC_DEFAULT", // Use approved key spec
    keyUsage: "ENCRYPT_DECRYPT", // Specify key usage
    deletionWindowInDays: 30, // Set deletion window between 7-30 days
    enableKeyRotation: true,
});
```

### kms-key-deletion-lifecycle

**Severity:** medium · **Enforcement:** advisory

Validates KMS key deletion windows and lifecycle management

- **SC.L2-3.13.10 Establish and manage cryptographic keys** — Establish and manage cryptographic keys for cryptography employed in organizational systems.

Remediation

##### Fix: Configure KMS Key Deletion Window and Lifecycle Management

Set a `deletionWindowInDays` between 7 and 30 days, add descriptive tags, and provide a clear description for proper lifecycle management:

```typescript
const kmsKey = new aws.kms.Key("my-key", {
    description: "Encryption key for application data",
    deletionWindowInDays: 30, // Set deletion window between 7-30 days
    tags: {
        Environment: "production",
        Owner: "security-team",
        Purpose: "data-encryption",
    },
});
```

### kms-key-enable-key-rotation

**Severity:** medium · **Enforcement:** advisory

Checks that KMS Keys have key rotation enabled.

- **SC.L2-3.13.10 Establish and manage cryptographic keys** — Establish and manage cryptographic keys for cryptography employed in organizational systems.

Remediation

##### Fix: Enable Automatic Key Rotation for KMS Keys

Set the `enableKeyRotation` property to `true` for all KMS keys to ensure cryptographic keys are automatically rotated annually:

```typescript
const key = new kms.Key("my-key", {
    description: "KMS key with automatic rotation",
    enableKeyRotation: true, // Enable automatic annual key rotation
});
```

### lambda-environment-variables-encryption

**Severity:** high · **Enforcement:** advisory

Ensures that all Lambda functions have their environment variables encrypted using AWS KMS

- **SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

Remediation

##### Fix: Encrypt Lambda Environment Variables with KMS

Configure a KMS key for Lambda function environment variable encryption by setting the `kmsKeyArn` property:

```typescript
const kmsKey = new aws.kms.Key("lambda-env-key", {
    description: "KMS key for Lambda environment variable encryption",
});

const lambdaFunction = new aws.lambda.Function("my-function", {
    runtime: "nodejs18.x",
    handler: "index.handler",
    role: role.arn,
    code: new pulumi.asset.AssetArchive({
        ".": new pulumi.asset.FileArchive("./function"),
    }),
    environment: {
        variables: {
            DATABASE_URL: "postgres://example.com/db",
        },
    },
    kmsKeyArn: kmsKey.arn, // Encrypt environment variables with KMS
});
```

### lambda-function-logging

**Severity:** medium · **Enforcement:** advisory

Ensures that all AWS Lambda functions have logging enabled to track output data processing

- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Remediation

##### Fix: Enable Lambda Function Logging Configuration

Add the `loggingConfig` property to your Lambda function with an appropriate `applicationLogLevel` (DEBUG, INFO, or WARN):

```typescript
const myFunction = new aws.lambda.Function("my-function", {
    runtime: "nodejs18.x",
    handler: "index.handler",
    role: lambdaRole.arn,
    code: new pulumi.asset.AssetArchive({
        ".": new pulumi.asset.FileArchive("./app"),
    }),
    loggingConfig: {
        logFormat: "JSON",
        applicationLogLevel: "INFO", // Set log level to INFO or DEBUG for adequate logging
    },
});
```

### load-balancer-waf-association

**Severity:** critical · **Enforcement:** advisory

Ensures public-facing Load Balancers have WAF associations

- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Remediation

##### Fix: Associate WAF Web ACL with Load Balancer

Create a WAF Web ACL association to protect your public-facing Load Balancer:

```typescript
// Create a WAF Web ACL association for the Load Balancer
const wafAssociation = new aws.wafv2.WebAclAssociation("lb-waf-association", {
    resourceArn: loadBalancer.arn, // Reference the Load Balancer ARN
    webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
});
```

### pubsub-least-privilege-iam

**Severity:** medium · **Enforcement:** advisory

Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis)

- **AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.

Remediation

##### Fix: Use Specific Pub/Sub IAM Actions and Resource ARNs

Replace wildcard permissions with specific actions and resource ARNs for Pub/Sub services:

```typescript
const queuePolicy = new aws.iam.Policy("queue-policy", {
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "sqs:SendMessage",      // Use specific actions instead of sqs:*
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage",
            ],
            Resource: "arn:aws:sqs:us-east-1:123456789012:my-queue", // Use specific ARN instead of *
        }],
    }),
});
```

### rds-audit-logging

**Severity:** medium · **Enforcement:** advisory

Ensures RDS instances have audit logging enabled

- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Remediation

##### Fix: Enable RDS Audit Logging to CloudWatch

Configure `enabledCloudwatchLogsExports` with appropriate audit log types for your database engine:

```typescript
// For MySQL/MariaDB
const db = new aws.rds.Instance("my-db", {
    engine: "mysql",
    instanceClass: "db.t3.micro",
    allocatedStorage: 20,
    enabledCloudwatchLogsExports: ["audit", "error", "general", "slowquery"], // Enable audit logs
    // ... other configuration
});

// For PostgreSQL
const pgDb = new aws.rds.Instance("my-pg-db", {
    engine: "postgres",
    instanceClass: "db.t3.micro",
    allocatedStorage: 20,
    enabledCloudwatchLogsExports: ["postgresql"], // Enable PostgreSQL logs
    // ... other configuration
});

// For Aurora clusters
const cluster = new aws.rds.Cluster("my-cluster", {
    engine: "aurora-mysql",
    enabledCloudwatchLogsExports: ["audit", "error", "general", "slowquery"], // Enable audit logs
    // ... other configuration
});
```

### rds-clusterinstance-ssl-encryption

**Severity:** high · **Enforcement:** advisory

Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration

- **AC.L2-3.1.13 Employ cryptographic mechanisms for remote access** — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- **SC.L2-3.13.8 Implement cryptographic mechanisms for transmission** — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Remediation

##### Fix: Configure SSL/TLS Encryption for Aurora Cluster Instance

Configure a parameter group to enforce SSL/TLS connections for your Aurora cluster instance:

```typescript
const clusterParamGroup = new aws.rds.ParameterGroup("cluster-params", {
    family: "aurora-postgresql14",
    parameters: [
        {
            name: "rds.force_ssl",
            value: "1", // Enforce SSL/TLS for all connections
        },
    ],
});

const clusterInstance = new aws.rds.ClusterInstance("my-cluster-instance", {
    clusterIdentifier: cluster.id,
    instanceClass: "db.r5.large",
    engine: cluster.engine,
    dbParameterGroupName: clusterParamGroup.name, // Attach parameter group with SSL enforcement
});
```

### rds-instance-disallow-public-access

**Severity:** critical · **Enforcement:** advisory

Checks that RDS Instance public access is not enabled.

- **AC.L2-3.1.22 Control CUI on publicly accessible systems** — Control CUI posted or processed on publicly accessible systems.

Remediation

##### Fix: Disable Public Access for RDS Instance

Set `publiclyAccessible` to `false` to prevent the RDS instance from being accessible from the internet:

```typescript
const dbInstance = new aws.rds.Instance("my-database", {
    allocatedStorage: 20,
    engine: "mysql",
    engineVersion: "8.0",
    instanceClass: "db.t3.micro",
    dbSubnetGroupName: privateSubnetGroup.name,
    vpcSecurityGroupIds: [dbSecurityGroup.id],
    publiclyAccessible: false, // Disable public access
    username: dbUsername,
    password: dbPassword,
});
```

### rds-instance-disallow-unencrypted-storage

**Severity:** high · **Enforcement:** advisory

Checks that RDS instance storage is encrypted.

- **MP.L2-3.8.9 Protect confidentiality of backup CUI** — Protect the confidentiality of backup CUI at storage locations.
- **SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

Remediation

##### Fix: Enable RDS Storage Encryption

Set the `storageEncrypted` property to true to encrypt the RDS instance storage:

```typescript
const dbInstance = new aws.rds.Instance("my-db", {
    engine: "postgres",
    instanceClass: "db.t3.micro",
    allocatedStorage: 20,
    storageEncrypted: true, // Enable storage encryption
    username: "admin",
    password: adminPassword,
});
```

### rds-instance-managed-service-patching

**Severity:** medium · **Enforcement:** advisory

Ensures RDS instances have automated minor version upgrades enabled

- **CM.L1-3.4.2 Establish and enforce security configuration settings** — Establish and enforce security configuration settings for information technology products employed in organizational systems.
- **MA.L1-3.7.1 Perform system maintenance** — Perform maintenance on organizational systems.
- **RA.L2-3.11.3 Remediate vulnerabilities** — Remediate vulnerabilities in accordance with risk assessments.
- **SI.L1-3.14.1 Identify and correct system flaws** — Identify, report, and correct system flaws in a timely manner.

Remediation

##### Fix: Enable Automatic Minor Version Upgrades for RDS

Set the `autoMinorVersionUpgrade` property to `true` to enable automated patching for managed service security updates:

```typescript
const db = new aws.rds.Instance("my-database", {
    engine: "postgres",
    instanceClass: "db.t3.micro",
    allocatedStorage: 20,
    dbName: "mydb",
    username: "admin",
    password: dbPassword,
    autoMinorVersionUpgrade: true, // Enable automatic minor version upgrades
    skipFinalSnapshot: true,
});
```

### resource-tagging

**Severity:** medium · **Enforcement:** advisory

Ensures all AWS resources must include tags for proper change tracking

- **MP.L2-3.8.4 Mark media with CUI markings** — Mark media with necessary CUI markings and distribution limitations.

Remediation

##### Fix: Add Required Tags to AWS Resources

Add a `tags` property with meaningful values to enable proper change tracking and documentation:

```typescript
const instance = new aws.ec2.Instance("my-instance", {
    ami: "ami-0c55b159cbfafe1f0",
    instanceType: "t3.micro",
    tags: {
        Environment: "production", // Add meaningful tags for change tracking
        Owner: "team-name",
        Application: "web-app",
    },
});
```

### s3-bucket-access-logging

**Severity:** medium · **Enforcement:** advisory

Ensures each S3 bucket has access logging enabled

- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Remediation

##### Fix: Enable S3 Bucket Access Logging

Create a BucketLogging resource with a target bucket and prefix to enable access logging:

```typescript
const myBucket = new aws.s3.Bucket("my-bucket", {
    // Bucket configuration
});

const logBucket = new aws.s3.Bucket("log-bucket", {
    // Configure log bucket settings
});

const bucketLogging = new aws.s3.BucketLogging("my-bucket-logging", {
    bucket: myBucket.id,
    targetBucket: logBucket.id, // Specify target bucket for logs
    targetPrefix: "logs/my-bucket/", // Specify prefix for organization
});
```

### s3-bucket-encryption

**Severity:** high · **Enforcement:** advisory

S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource

- **MP.L1-3.8.1 Protect system media containing CUI** — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- **MP.L2-3.8.9 Protect confidentiality of backup CUI** — Protect the confidentiality of backup CUI at storage locations.
- **SC.L2-3.13.11 Employ FIPS-validated cryptography** — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
- **SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

Remediation

##### Fix: Configure S3 Bucket Server-Side Encryption

Create a separate `BucketServerSideEncryptionConfigurationV2` resource for your S3 bucket with encryption rules. Use AES256 or KMS encryption:

```typescript
const bucket = new aws.s3.BucketV2("my-bucket", {
    bucket: "my-secure-bucket",
});

// Add encryption configuration resource
const bucketEncryption = new aws.s3.BucketServerSideEncryptionConfiguration("my-bucket-encryption", {
    bucket: bucket.id,
    rules: [{
        applyServerSideEncryptionByDefault: {
            sseAlgorithm: "aws:kms", // Enable KMS encryption
            kmsMasterKeyId: kmsKey.arn, // Specify customer-managed key
        },
        bucketKeyEnabled: true, // Enable bucket key for cost optimization
    }],
});
```

### s3-bucket-least-privilege

**Severity:** critical · **Enforcement:** advisory

Prevents overly permissive S3 bucket policies

- **AC.L1-3.1.2 Limit system access to authorized transaction types** — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- **AC.L2-3.1.5 Employ the principle of least privilege** — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- **MP.L1-3.8.2 Limit access to CUI on system media** — Limit access to CUI on system media to authorized users.

Remediation

##### Fix: Use Specific Actions, Resources, and Principals

Replace wildcard (*) values in S3 bucket policy statements with specific, scoped permissions:

```typescript
const bucketPolicy = new aws.s3.BucketPolicy("policy", {
    bucket: bucket.id,
    policy: bucket.arn.apply(arn => JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:role/specific-role" // Specify exact principal ARN
            },
            Action: ["s3:GetObject", "s3:PutObject"], // Use specific S3 actions
            Resource: `${arn}/*` // Scope to specific bucket
        }]
    }))
});
```

### s3-bucket-lifecycle

**Severity:** medium · **Enforcement:** advisory

Ensures each S3 bucket has lifecycle rules configured for retention/disposal

- **MP.L1-3.8.3 Sanitize or destroy system media before disposal** — Sanitize or destroy system media containing CUI before disposal or release for reuse.

Remediation

##### Fix: Configure Lifecycle Rules for S3 Bucket

Create a BucketLifecycleConfiguration resource with at least one enabled rule:

```typescript
const myBucket = new aws.s3.Bucket("my-bucket", {
    // Bucket configuration
});

const lifecycleConfig = new aws.s3.BucketLifecycleConfiguration("my-bucket-lifecycle", {
    bucket: myBucket.id,
    rules: [
        {
            id: "delete-old-objects",
            status: "Enabled", // Rule must be enabled
            expiration: {
                days: 90, // Define retention period (e.g., expire after 90 days)
            },
        },
    ],
});
```

### s3-bucket-public-access-block

**Severity:** critical · **Enforcement:** advisory

Ensures each S3 bucket has a public access block with all settings enabled

- **AC.L2-3.1.22 Control CUI on publicly accessible systems** — Control CUI posted or processed on publicly accessible systems.
- **MP.L1-3.8.2 Limit access to CUI on system media** — Limit access to CUI on system media to authorized users.

Remediation

##### Fix: Enable All Public Access Block Settings

Create a BucketPublicAccessBlock resource with all four settings set to `true`:

```typescript
const myBucket = new aws.s3.Bucket("my-bucket", {
    // Bucket configuration
});

const publicAccessBlock = new aws.s3.BucketPublicAccessBlock("my-bucket-public-access-block", {
    bucket: myBucket.id,
    blockPublicAcls: true,       // Blocks new public ACLs
    blockPublicPolicy: true,     // Blocks new public bucket policies
    ignorePublicAcls: true,      // Ignores existing public ACLs
    restrictPublicBuckets: true, // Restricts public access to buckets with public policies
});
```

### secrets-manager-secret-configure-customer-managed-key

**Severity:** low · **Enforcement:** advisory

Check that Secrets Manager Secrets use a customer-manager KMS key.

- **SC.L2-3.13.16 Protect confidentiality of CUI at rest** — Protect the confidentiality of CUI at rest.

Remediation

##### Fix: Configure Customer-Managed KMS Key for Secrets Manager Secret

Set the `kmsKeyId` property to reference a customer-managed KMS key for encrypting the secret:

```typescript
const secret = new aws.secretsmanager.Secret("my-secret", {
    name: "my-application-secret",
    kmsKeyId: kmsKey.arn, // Use customer-managed KMS key
    description: "Sensitive application credentials",
});
```

### security-group-default-deny

**Severity:** high · **Enforcement:** advisory

Ensures Security Groups follow default deny with explicit allow principle

- **CM.L2-3.4.6 Employ principle of least functionality** — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- **SC.L2-3.13.6 Deny network traffic by default** — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Remediation

##### Fix: Replace Unrestricted CIDR Blocks with Specific IP Ranges

Replace 0.0.0.0/0 in ingress and egress rules with specific CIDR blocks or security group references to follow the default deny with explicit allow principle:

```typescript
const webSecurityGroup = new aws.ec2.SecurityGroup("web-sg", {
    vpcId: vpc.id,
    ingress: [{
        protocol: "tcp",
        fromPort: 443,
        toPort: 443,
        cidrBlocks: ["10.0.0.0/16"], // Use specific CIDR block instead of 0.0.0.0/0
    }],
    egress: [{
        protocol: "tcp",
        fromPort: 443,
        toPort: 443,
        cidrBlocks: ["10.0.0.0/16"], // Use specific CIDR block instead of 0.0.0.0/0
    }],
});
```

### security-group-strict

**Severity:** high · **Enforcement:** advisory

Ensures security groups follow strict firewall rules with default deny

- **AC.L2-3.1.3 Control the flow of CUI** — Control the flow of CUI in accordance with approved authorizations.
- **CM.L2-3.4.6 Employ principle of least functionality** — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- **CM.L2-3.4.7 Restrict nonessential programs and services** — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
- **SC.L2-3.13.6 Deny network traffic by default** — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Remediation

##### Fix: Configure Strict Security Group Rules

Restrict ingress rules to specific CIDR blocks instead of allowing access from the entire internet (0.0.0.0/0). Use specific protocols and narrow port ranges:

```typescript
const securityGroup = new aws.ec2.SecurityGroup("my-sg", {
    vpcId: vpc.id,
    ingress: [
        {
            protocol: "tcp", // Use specific protocol, not "-1" (all)
            fromPort: 443,
            toPort: 443,
            cidrBlocks: ["10.0.0.0/8"], // Restrict to internal network, not "0.0.0.0/0"
        },
    ],
    egress: [
        {
            protocol: "-1",
            fromPort: 0,
            toPort: 0,
            cidrBlocks: ["0.0.0.0/0"],
        },
    ],
});
```

### subnet-multi-az

**Severity:** medium · **Enforcement:** advisory

Ensures subnets are distributed across multiple availability zones

- **SC.L1-3.13.2 Employ architectural designs promoting security** — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Remediation

##### Fix: Distribute Subnets Across Multiple Availability Zones

Create subnets in at least 2 different availability zones to ensure high availability and fault tolerance:

```typescript
const subnet1 = new aws.ec2.Subnet("subnet-az1", {
    vpcId: vpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-east-1a", // Specify explicit AZ
});

const subnet2 = new aws.ec2.Subnet("subnet-az2", {
    vpcId: vpc.id,
    cidrBlock: "10.0.2.0/24",
    availabilityZone: "us-east-1b", // Use different AZ for redundancy
});
```

### vpc-endpoint-security-policy

**Severity:** medium · **Enforcement:** advisory

Ensures that VPC endpoints are associated with security policies that limit access to specified resources

- **SC.L1-3.13.2 Employ architectural designs promoting security** — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Remediation

##### Fix: Configure Restrictive VPC Endpoint Policy

Add a policy to your VPC endpoint that specifies explicit principals and resources instead of wildcards:

```typescript
const vpcEndpoint = new aws.ec2.VpcEndpoint("my-endpoint", {
    vpcId: vpc.id,
    serviceName: "com.amazonaws.us-west-2.s3",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:role/MyRole" // Specify explicit principal ARN
            },
            Action: "s3:GetObject",
            Resource: "arn:aws:s3:::my-bucket/*" // Specify explicit resource ARN
        }]
    }),
});
```

### vpc-flow-logs

**Severity:** medium · **Enforcement:** advisory

Ensures VPC flow logs use approved destinations for centralized monitoring

- **AC.L2-3.1.3 Control the flow of CUI** — Control the flow of CUI in accordance with approved authorizations.
- **AC.L2-3.1.12 Monitor and control remote access sessions** — Monitor and control remote access sessions.
- **AU.L1-3.3.1 Create and retain system audit logs** — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
- **SI.L2-3.14.6 Monitor systems to detect attacks** — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Remediation

##### Fix: Configure VPC Flow Logs with Approved Destination

Configure VPC Flow Logs to use one of the approved log destinations specified in the policy configuration:

```typescript
const flowLog = new aws.ec2.FlowLog("vpc-flow-log", {
    vpcId: vpc.id,
    trafficType: "ALL",
    logDestination: "arn:aws:s3:::approved-logging-bucket", // Use approved destination
    logDestinationType: "s3",
});
```

### vpc-subnet-flow-logs

**Severity:** medium · **Enforcement:** advisory

Ensures all VPCs and subnets have flow logs enabled

- **SC.L2-3.13.5 Implement subnetworks for publicly accessible components** — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- **SI.L2-3.14.6 Monitor systems to detect attacks** — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Remediation

##### Fix: Enable VPC Flow Logs for Network Monitoring

Create a VPC Flow Log resource and associate it with your VPC or subnet to capture network traffic information:

```typescript
const vpc = new aws.ec2.Vpc("my-vpc", {
    cidrBlock: "10.0.0.0/16",
});

// Enable flow logs for the VPC
const flowLog = new aws.ec2.FlowLog("vpc-flow-log", {
    vpcId: vpc.id, // Associate flow log with VPC
    trafficType: "ALL", // Capture all traffic (ACCEPT, REJECT, ALL)
    logDestinationType: "cloud-watch-logs",
    logDestination: logGroup.arn,
    iamRoleArn: flowLogRole.arn,
});
```

### waf-association-validation

**Severity:** critical · **Enforcement:** advisory

Validates WAF Web ACL associations are properly configured

- **SC.L1-3.13.1 Monitor and control communications at boundaries** — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Remediation

##### Fix: Configure WAF Web ACL Association Properties

Ensure both `resourceArn` and `webAclArn` are specified in the WAF association:

```typescript
const wafAssociation = new aws.wafv2.WebAclAssociation("my-waf-association", {
    resourceArn: resource.arn, // Specify the resource ARN to protect
    webAclArn: webAcl.arn, // Specify the WAF Web ACL ARN
});
```


