Skip to main content
Pulumi logo Pulumi logo
  1. Docs
  2. Reference
  3. Pre-built Policy Packs
  4. HITRUST
  5. AWS Native

HITRUST CSF 11.5 - AWS Native

    This page lists all 114 policies in the HITRUST CSF 11.5 pack for AWS Native, as published in hitrust-awsnative version 2.0.1.

    Policies

    anti-malware-edr

    Enforcement: advisory

    Ensures EC2 instances have anti-malware/EDR agents deployed

    api-gateway-access-logging

    Enforcement: advisory

    Ensures API Gateway stages have access logging enabled

    api-gateway-authorization

    Enforcement: advisory

    Ensures API Gateway methods use strong authorization instead of NONE

    api-gateway-waf-association

    Enforcement: advisory

    HITRUST 13.ac01.01 - Ensures public-facing API Gateways have WAF associations

    apigateway-domainname-configure-security-policy

    Enforcement: advisory

    Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption.

    apigatewayv2-domainname-configure-domain-name-security-policy

    Enforcement: advisory

    Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption.

    apigatewayv2-domainname-enable-domain-name-configuration

    Enforcement: advisory

    Checks that any ApiGatewayV2 Domain Name Configuration is enabled.

    appflow-connectorprofile-configure-customer-managed-key

    Enforcement: advisory

    Check that AppFlow ConnectorProfile uses a customer-managed KMS key.

    appflow-flow-configure-customer-managed-key

    Enforcement: advisory

    Check that AppFlow Flow uses a customer-managed KMS key.

    athena-workgroup-configure-customer-managed-key

    Enforcement: advisory

    Checks that Athena Workgroups use a customer-managed-key.

    athena-workgroup-disallow-unencrypted-workgroup

    Enforcement: advisory

    Checks that Athena Workgroups are encrypted.

    athena-workgroup-enforce-configuration

    Enforcement: advisory

    Checks that Athena Workgroups enforce their configuration to their clients.

    centralized-os-app-logging

    Enforcement: advisory

    Ensures EC2 instances have logging agents configured to forward OS/application logs to central system

    cloud-asset-inventory

    Enforcement: advisory

    Enforces tagging for cloud asset inventory and management

    cloudfront-distribution-configure-access-logging

    Enforcement: advisory

    Checks that any CloudFront distributions have access logging configured.

    cloudfront-distribution-configure-secure-tls

    Enforcement: advisory

    Checks that CloudFront distributions uses secure/modern TLS encryption.

    cloudfront-distribution-configure-secure-tls-to-origin

    Enforcement: advisory

    Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only.

    cloudfront-distribution-configure-waf-acl

    Enforcement: advisory

    Checks that CloudFront distributions have a WAF ACL associated.

    cloudfront-distribution-disallow-unencrypted-traffic

    Enforcement: advisory

    Checks that CloudFront distributions only allow encypted ingress traffic.

    cloudfront-distribution-enable-access-logging

    Enforcement: advisory

    Checks that any CloudFront distributions have access logging enabled.

    cloudfront-distribution-enable-tls-to-origin

    Enforcement: advisory

    Checks that CloudFront distributions communicate with custom origins using TLS encryption.

    cloudfront-waf-association

    Enforcement: advisory

    HITRUST 13.ac01.01 - Ensures CloudFront distributions have WAF associations

    database-strict-network-access

    Enforcement: advisory

    Ensures RDS instances have strict network access controls

    dynamodb-streams-enabled

    Enforcement: advisory

    Enforces that all DynamoDB tables have Stream settings enabled to capture all changes

    ec2-instance-disallow-public-ip

    Enforcement: advisory

    Checks that EC2 instances do not have a public IP address.

    ec2-instance-disallow-unencrypted-block-device

    Enforcement: advisory

    Checks that EC2 instances do not have unencrypted block devices.

    ec2-instance-disallow-unencrypted-root-block-device

    Enforcement: advisory

    Checks that EC2 instances does not have unencrypted root volumes.

    ec2-launchtemplate-configure-customer-managed-key

    Enforcement: advisory

    Check that encrypted EBS volume uses a customer-managed KMS key.

    ec2-launchtemplate-disallow-public-ip

    Enforcement: advisory

    Checks that EC2 Launch Templates do not have public IP addresses.

    ec2-launchtemplate-disallow-unencrypted-block-device

    Enforcement: advisory

    Checks that EC2 Launch Templates do not have unencrypted block device.

    ec2-securitygroup-disallow-inbound-http-traffic

    Enforcement: advisory

    Check that EC2 Security Groups do not allow inbound HTTP traffic.

    ec2-volume-configure-customer-managed-key

    Enforcement: advisory

    Check that encrypted EBS volumes use a customer-managed KMS key.

    ec2-volume-disallow-unencrypted-volume

    Enforcement: advisory

    Checks that EBS volumes are encrypted.

    ecr-image-scanning

    Enforcement: advisory

    HITRUST 09.ac05.01 - Ensures ECR repositories have image scanning enabled for vulnerability management

    ecr-repository-configure-customer-managed-key

    Enforcement: advisory

    Checks that ECR repositories use a customer-managed KMS key.

    ecr-repository-configure-image-scan

    Enforcement: advisory

    Checks that ECR repositories have ‘scan-on-push’ configured.

    ecr-repository-disallow-mutable-image

    Enforcement: advisory

    Checks that ECR Repositories have immutable images enabled.

    ecr-repository-disallow-unencrypted-repository

    Enforcement: advisory

    Checks that ECR Repositories are encrypted.

    ecr-repository-enable-image-scan

    Enforcement: advisory

    Checks that ECR repositories have ‘scan-on-push’ enabled.

    ecs-task-definition-image-scanning

    Enforcement: advisory

    HITRUST 09.ac05.01 - Ensures ECS task definitions use images from repositories with vulnerability scanning

    efs-filesystem-configure-customer-managed-key

    Enforcement: advisory

    Check that encrypted EFS File system uses a customer-managed KMS key.

    efs-filesystem-disallow-unencrypted-file-system

    Enforcement: advisory

    Checks that EFS File Systems do not have an unencrypted file system.

    eks-cluster-disallow-api-endpoint-public-access

    Enforcement: advisory

    Check that EKS Clusters API Endpoint are not publicly accessible.

    eks-cluster-enable-cluster-encryption-config

    Enforcement: advisory

    Check that EKS Cluster Encryption Config is enabled.

    elb-listener-disallow-unencrypted-traffic

    Enforcement: advisory

    Check that ELB Listeners do not allow unencrypted (HTTP) traffic.

    elb-loadbalancer-disallow-unencrypted-traffic

    Enforcement: advisory

    Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic.

    environment-separation-tagging

    Enforcement: advisory

    Ensures that resources are tagged to distinguish between production and non-production environments

    iam-group-policy-least-privilege

    Enforcement: advisory

    Ensures IAM group policies follow least privilege principles

    iam-policy-least-privilege

    Enforcement: advisory

    Ensures IAM managed policies follow least privilege principles

    iam-policy-mfa-enforcement

    Enforcement: advisory

    Ensures IAM policies require MFA for privileged actions

    iam-role-least-privilege

    Enforcement: advisory

    Ensures IAM roles follow least privilege principles

    iam-role-mfa-enforcement

    Enforcement: advisory

    Ensures IAM roles require MFA for privileged actions

    iam-role-policy-least-privilege

    Enforcement: advisory

    Ensures IAM role policies follow least privilege principles

    iam-role-policy-mfa-enforcement

    Enforcement: advisory

    Ensures IAM role policies require MFA for privileged actions

    iam-role-session-duration

    Enforcement: advisory

    Enforces maximum session duration for IAM roles

    iam-user-policy-least-privilege

    Enforcement: advisory

    Ensures IAM user policies follow least privilege principles

    kinesis-event-source-mapping-dlq

    Enforcement: advisory

    Ensures Kinesis Lambda event source mappings have DLQ configuration

    kinesis-stream-retention

    Enforcement: advisory

    Ensures Kinesis streams have retention periods configured

    kms-key-creation

    Enforcement: advisory

    HITRUST 09.ab01.01 - Validates KMS key creation with appropriate specifications and origins

    kms-key-deletion-lifecycle

    Enforcement: advisory

    HITRUST 09.ac10.01, 06.ad04.01 - Validates KMS key deletion windows and lifecycle management

    kms-key-enable-key-rotation

    Enforcement: advisory

    Checks that KMS Keys have key rotation enabled.

    kms-key-policy-access-control

    Enforcement: advisory

    HITRUST 07.ad01.01, 07.ad02.01 - Validates KMS key policies for least privilege and separation of duties

    lambda-environment-variables-encryption

    Enforcement: advisory

    Ensures that all Lambda functions have their environment variables encrypted using AWS KMS

    lambda-function-documentation

    Enforcement: advisory

    Ensures all AWS Lambda functions have a documented description attribute

    lambda-function-logging

    Enforcement: advisory

    Ensures that all AWS Lambda functions have logging enabled to track output data processing

    lambda-permission-configure-source-arn

    Enforcement: advisory

    Checks that lambda function permissions have a source arn specified.

    lambda-runtime-restrictions

    Enforcement: advisory

    Ensures that AWS Lambda functions are created only with approved runtime versions

    least-privilege

    Enforcement: advisory

    Ensures IAM policies follow least privilege principles

    limit-lambda-execution-time

    Enforcement: advisory

    Ensures that AWS Lambda functions are configured to time out after a specified duration to prevent extended access

    load-balancer-waf-association

    Enforcement: advisory

    HITRUST 13.ac01.01 - Ensures public-facing Load Balancers have WAF associations

    no-hardcoded-secrets

    Enforcement: advisory

    Ensures EC2 instances do not contain hardcoded secrets

    pubsub-least-privilege-iam

    Enforcement: advisory

    Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis)

    rds-audit-logging

    Enforcement: advisory

    Ensures RDS instances have audit logging enabled

    rds-cluster-secure-master-credentials

    Enforcement: advisory

    Ensures RDS clusters use secure credential management instead of hardcoded passwords

    rds-dbcluster-configure-backup-retention

    Enforcement: advisory

    Checks that RDS DB Cluster backup retention policy is configured.

    rds-dbcluster-configure-customer-managed-key

    Enforcement: advisory

    Checks that RDS DB Cluster storage uses a customer-managed KMS key.

    rds-dbcluster-disallow-single-availability-zone

    Enforcement: advisory

    Check that RDS DB Cluster doesn’t use single availability zone.

    rds-dbcluster-disallow-unencrypted-storage

    Enforcement: advisory

    Checks that RDS DB Cluster storage is encrypted.

    rds-dbcluster-enable-backup-retention

    Enforcement: advisory

    Checks that RDS DB Clusters backup retention policy is enabled.

    rds-dbinstance-configure-customer-managed-key

    Enforcement: advisory

    Checks that RDS DB Instance storage uses a customer-managed KMS key.

    rds-dbinstance-disallow-public-access

    Enforcement: advisory

    Checks that RDS DB Instances public access is not enabled.

    rds-dbinstance-disallow-unencrypted-storage

    Enforcement: advisory

    Checks that RDS DB Instance storage is encrypted.

    rds-dbinstance-enable-backup-retention

    Enforcement: advisory

    Checks that RDS DB Instances backup retention policy is enabled.

    rds-iam-authentication

    Enforcement: advisory

    Ensures RDS instances have IAM database authentication enabled

    rds-instance-high-availability

    Enforcement: advisory

    Ensures RDS instances have Multi-AZ deployment enabled for high availability

    rds-managed-service-patching

    Enforcement: advisory

    Ensures RDS instances have automated minor version upgrades enabled

    rds-private-subnet-validation

    Enforcement: advisory

    Validates that RDS DB subnet groups contain only private subnets

    rds-secure-master-credentials

    Enforcement: advisory

    Ensures RDS instances use secure credential management instead of hardcoded passwords

    rds-ssl-encryption

    Enforcement: advisory

    Ensures RDS instances have SSL/TLS encryption enabled

    resource-tagging

    Enforcement: advisory

    Ensures all AWS resources must include tags for proper change tracking

    restrict-default-iam-user-creation

    Enforcement: advisory

    Ensures that default IAM user accounts are not allowed to be created

    s3-bucket-access-logging

    Enforcement: advisory

    Ensures S3 buckets have access logging enabled

    s3-bucket-configure-server-side-encryption-customer-managed-key

    Enforcement: advisory

    Check that S3 Buckets Server-Side Encryption (SSE) is using a customer-managed KMS Key.

    s3-bucket-configure-server-side-encryption-kms

    Enforcement: advisory

    Check that S3 Buckets Server-Side Encryption (SSE) uses AWS KMS.

    s3-bucket-disallow-public-read

    Enforcement: advisory

    Checks that S3 Bucket ACLs don’t allow ‘PublicRead’, ‘PublicReadWrite’ or ‘AuthenticatedRead’.

    s3-bucket-enable-server-side-encryption

    Enforcement: advisory

    Check that S3 Bucket Server-Side Encryption (SSE) is enabled.

    s3-bucket-least-privilege

    Enforcement: advisory

    Prevents overly permissive S3 bucket policies

    s3-bucket-lifecycle

    Enforcement: advisory

    Ensures S3 buckets have lifecycle rules configured for retention/disposal

    s3-bucket-macie-access

    Enforcement: advisory

    Ensures S3 buckets allow AWS Macie access for data classification and discovery

    s3-bucket-public-access-block

    Enforcement: advisory

    Ensures S3 bucket public access blocks have all settings enabled

    s3-bucket-replication

    Enforcement: advisory

    Ensures S3 buckets have replication configured for enhanced availability

    s3-bucket-versioning

    Enforcement: advisory

    Ensures S3 buckets have versioning enabled

    secretsmanager-secret-configure-customer-managed-key

    Enforcement: advisory

    Check that Secrets Manager Secrets use a customer-manager KMS key.

    security-group-default-deny

    Enforcement: advisory

    Ensures Security Groups follow default deny with explicit allow principle

    security-group-ssh-rdp

    Enforcement: advisory

    Ensures security groups do not allow SSH/RDP from the internet

    security-group-strict

    Enforcement: advisory

    Ensures security groups follow strict firewall rules with default deny

    sqs-dead-letter-queue

    Enforcement: advisory

    Ensures SQS queues have dead letter queue configuration

    sqs-encryption

    Enforcement: advisory

    Ensures SQS queues have server-side encryption enabled

    sqs-message-retention

    Enforcement: advisory

    Ensures SQS queues have message retention periods configured

    subnet-multi-az

    Enforcement: advisory

    Ensures subnets are distributed across multiple availability zones

    vpc-endpoint-security-policy

    Enforcement: advisory

    Ensures that VPC endpoints are associated with security policies that limit access to specified resources

    vpc-flow-logs

    Enforcement: advisory

    Ensures VPC flow logs use approved destinations for centralized monitoring

    vpc-subnet-flow-logs

    Enforcement: advisory

    Ensures all VPCs and subnets have flow logs enabled

    waf-association-validation

    Enforcement: advisory

    HITRUST 13.ac01.01 - Validates WAF Web ACL associations are properly configured

      The infrastructure as code platform for any cloud.