Skip to content

Policy Library For Secure AWS Infrastructure

Welcome

nhammadi/policy-library-opa-aws-terraform

Policies Per AWS Service

AWS AppSync

enable-at-rest-encryption AWS AppSync API caches should be encrypted at rest
enable-in-transit-encryption AWS AppSync API caches should be encrypted in transit

Amazon API Gateway V2

enable-access-logs Access logging should be configured for API Gateway V2 Stages

Amazon Athena

enable-logging Athena workgroups should have logging enabled

Database Migration Service

enable-auto-minor-version-upgrade DMS replication instances should have automatic minor version upgrade enabled
use-ssl DMS endpoints should use SSL
disable-public-access Database Migration Service replication instances should not be public

DynamoDB

enable-dax-at-rest-encryption Amazon DynamoDB Accelerator (DAX) clusters should be encrypted at rest
enable-dax-in-transit-encryption Amazon DynamoDB Accelerator (DAX) clusters should be encrypted in transit

Elastic File System

enable-at-rest-encryption Elastic File Systems should be configured to encrypt data at-rest using AWS KMS

Amazon EventBridge

attach-resource-based-policy EventBridge custom event buses should have a resource-based policy attached

Amazon ECR

enable-private-image-scanning ECR private repositories should have image scanning configured
configure-private-lifecycle-policy ECR repositories should have at least one lifecycle policy configured

Amazon ECS

enable-container-insights ECS clusters should use Container Insights
disable-taskset-assign-public-ip ECS task sets should not automatically assign public IP addresses

Amazon ElastiCache

enable-auto-minor-version-upgrade ElastiCache clusters should have automatic minor version upgrades enabled

AWS Glue

spark-job-supported-version AWS Glue Spark jobs should run on supported versions of AWS Glue

Kinesis Data Streams

enable-server-side-encryption Kinesis streams should be encrypted at rest

AWS KMS

enable-key-rotation AWS KMS key rotation should be enabled

Amazon MQ

enable-auto-minor-version-upgrade Amazon MQ brokers should have automatic minor version upgrade enabled

Amazon Neptune

enable-copy-tags-to-snapshots Neptune DB clusters should be configured to copy tags to snapshots

Amazon OpenSearch

enable-node-to-node-encryption OpenSearch domains should encrypt data sent between nodes

Amazon Redshift

disable-public-access Amazon Redshift clusters should prohibit public access
enable-version-upgrade Amazon Redshift should have automatic upgrades to major versions enabled

Amazon Kinesis Data Firehose

enable-server-side-encryption Firehose delivery streams should be encrypted at rest using AWS KMS

Amazon Relational Database Service

enable-auto-minor-version-upgrade RDS automatic minor version upgrades should be enabled

Amazon SQS

enable-at-rest-encryption Amazon SQS queues should be encrypted at rest

AWS Step Functions

enable-logging Step Functions state machines should have logging turned on