CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
      • GDPR
      • HIPAA
      • ISO/IEC 27001:2022
      • ISO 27002:2022
      • RBI Baseline Cyber Security and Resilience Requirements
      • PCI DSS v4.0
      • SOC 2
      • MISRA-C-2012
      • MISRA-CPP-2023
      • AUTOSAR-CPP-2014
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
    Compliance

    ISO/IEC 27001:2022

    Ensure IAM password policy prevents password reuse

    • The policy ensures that users can’t reuse old passwords, thereby reducing the risks related to compromised passwords. If a hacker gets access to old passwords, they won’t be able to use them.
    • This policy improves the security posture of the AWS IAM, as enforcing unique passwords for accounts requires users to constantly change and update their passwords, making it difficult for unauthorized users to gain access.
    • Enforcing a no password reuse policy encourages the use of strong and unique passwords among users. This, in turn, makes the system more secure by hardening authentication processes.
    • It fosters better password management practices among users, leading to a culture of security consciousness and vigilance against potential cybersecurity threats.

    Ensure CloudTrail log file validation is enabled

    • Ensuring CloudTrail log file validation is enabled provides an additional layer of security by verifying that the CloudTrail logs have not been tampered with. This safeguard helps maintain the integrity of logs and the reliability of audit activities in the AWS environment.
    • This policy is critical because log file validation allows for the detection of unauthorized changes to log files. If a log file is modified, deleted, or moved from its original location, it will fail validation, notifying admins about potential security breaches.
    • The enabled log file validation policy contributes to establishing a robust security posture in AWS. It supports compliance with industry security standards and regulations that require monitoring and logging of activities in the IT infrastructure.
    • It can prevent potential data loss situations. If a CloudTrail log file is inadvertently modified or deleted, the log record remains intact because it retains a copy of the content. This policy helps to ensure traceability and accountability of actions made in the AWS environment.

    Ensure CloudTrail is enabled in all Regions

    • Enabling CloudTrail in all regions is important as it provides visibility into user activity by recording actions taken on your AWS infrastructure, thereby increasing transparency and accountability.
    • This policy aids in detecting unusual or unauthorized activities by allowing you to review detailed CloudTrail event logs that track every API call made across all regions, providing an additional layer of security.
    • It facilitates compliance with various regulations by providing an auditable record of all changes and administrative actions on AWS resources across every region, increasing the traceability and meeting various IT governance requirements.
    • Disabling CloudTrail in any region could result in not detecting potential security threats in those regions. This could seriously harm the organization’s valuable resources and data, making this policy crucial for maintaining and improving overall security posture.

    Ensure CloudTrail logging is enabled

    • Enabling CloudTrail logging is crucial for auditing and monitoring activities in your AWS environment. It records and retains event log files of all API activity, which is essential in detecting suspicious activity or identifying operational issues.
    • This policy helps in ensuring compliance with numerous cybersecurity standards and audits. CloudTrail logging can be utilised as evidence for demonstrating compliance with internal policies or external regulations by providing a history of actions, changes, and events.
    • Implementing this policy means that even in the case of a security incident, having enabled CloudTrail logging offers the ability to conduct thorough forensic analysis. It allows the security team to trace back the actions of an attacker or determine the cause of an incident.
    • Without enforcing this policy, organisations are exposed to an increased risk of undetected security breaches. Unidentified malicious activities or unauthorized changes in infrastructure could lead to data leaks, service disruptions, or additional costs due to the misuse of resources.

    Ensure ELB Policy uses only secure protocols

    • This policy ensures that Elastic Load Balancing (ELB) only uses secure protocols, fortifying the defense of data transmitted between the client and the load balancer, reducing the risk of data breach.
    • With secure protocols, it guards against attacks like surveillance, data modification, and spoofing by lowering the chance of unencrypted or weakly encrypted data being intercepted or tampered.
    • Using insecure protocols can lead to non-compliance with data protection regulations like GDPR or HIPAA, resulting in severe legal and financial consequences. This policy helps in maintaining compliance with such regulations.
    • Implementing this policy via Infrastructure as Code (IaC) approach using Terraform allows for scalable, repeatable, and efficient security configuration across various AWS load balancer policies, enhancing the overall security posture.

    Ensure EFS is securely encrypted

    • Ensuring that EFS (Elastic File System) is securely encrypted helps protect sensitive data stored in the AWS EFS, providing an extra layer of safety against unauthorized access and data breaches.
    • Enforcing this policy can significantly enhance the security posture of the AWS environment since EFS, primarily used for sharing data across multiple instances, without encryption, can expose sensitive data to potential eavesdropping activities.
    • Compliance with regulations: Many industries and jurisdictions have mandatory data protection laws and regulations that require encryption-at-rest for certain types of data. Implementing EFS encryption ensures compliance with such regulatory requirements.
    • This policy, implemented via Infrastructure as Code (IaC) such as Cloudformation, enables automated, repeatable, and scalable encryption process which will reduce manual errors and overhead of manual configuration, thus improving efficiency while assuring compliance continuously.

    Ensure IAM policies that allow full *-* administrative privileges are not created

    • Restricting the creation of IAM policies that allow full ”-” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions.
    • Without this policy, there could be unrestricted access across all services within the AWS environment, increasing the risk of inadvertent modifications or deletions, possibly leading to business disruption, data loss or service unavailability.
    • Overly permissive IAM policies could potentially open up avenues for security breaches. A hacker who gains access to these permissions could take control of the entire AWS account, stealing sensitive information, or injecting malicious code.
    • Imposing this security policy encourages the adoption of role-based access control (RBAC), increasing accountability and enforceability. This can help an organization monitor and audit user actions more effectively and detect policy violations promptly.

    Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy

    • This security policy is important as it restricts the use of the AWS AdministratorAccess policy to IAM roles, users, and groups. This limits the access and control over AWS resources, thus minimizing the risk of unauthorized or destructive actions by reducing the attack surface.
    • By enforcing this policy, you can implement the principle of least privilege. This practice states that a user should have the minimal levels of access – or permissions – to perform his/her job functions. This prevents potential misuse of excessive permissions.
    • The policy reduces the risk of a single point of compromise by not letting any specific IAM user, group, or role have complete admin access. If one account is compromised, the impact is limited because the attacker does not automatically gain full control of the entire AWS environment.
    • This policy impacts organizational security by holding individual users accountable for their actions with clearly defined permissions and roles. This allows for better monitoring and auditability of activities, thereby improving the ability to detect abnormal or suspicious behavior promptly.

    Disallow policies from using the AWS AdministratorAccess policy

    • The policy ensures restricted access to AWS services as granting AdministratorAccess can lead to an over-privilege scenario, where a user, group, or role receives more access than necessary, posing a significant security risk.
    • It helps maintain the principle of least privilege (PoLP), which is crucial because minimizing the potential impact of credential compromise can help protect information and systems from unauthorized use, data loss, or malicious activities.
    • This policy mitigates risk as attaching the AWS AdministratorAccess policy effectively provides full permissions to all AWS services and resources, potentially enabling accidental alterations or deletions in the infrastructure, ultimately affecting service integrity and reliability.
    • Furthermore, it reinforces accountability and auditing requirements, as access rights and activities can be traced back to individual users or services. Without this limitation, tracking unauthorized or malicious activities becomes complicated, hindering incident response and forensic investigations.

    Ensure all data stored in RDS is not publicly accessible

    • This policy safeguards sensitive information by ensuring no unauthorized users can access the data stored in RDS, thereby reducing the risk of data breaches and maintaining the confidentiality and integrity of the data.
    • It helps in mitigating potential legal and financial repercussions. If sensitive data such as personal identifiable information (PII) gets breached, the company might face heavy penalties and damage of reputation.
    • Enforcing this policy aligns with the best practices for data security in cloud computing environments, especially within AWS, fostering trust among stakeholders, clients and regulatory bodies.
    • By automatically blocking public access through Infrastructure as Code (IaC) methods like Cloudformation, the policy minimizes human error and the risk associated with manual configuration adjustments, thus enhancing the overall security posture of the cloud environment.

    Ensure that RDS clusters have deletion protection enabled

    • Enabling deletion protection on RDS clusters prevents accidental deletion of critical data, ensuring the continuity of business operations and reducing potential downtime due to data loss.
    • This policy ensures that organizational standards for data protection and disaster recovery are adhered to, which can be particularly important for compliance with regulations like GDPR and HIPAA.
    • By using Infrastructure as Code (IaC) with Terraform to enforce this policy, organizations can automate and standardize protection settings across all RDS clusters, reducing the likelihood of human error.
    • Disabling deletion protection can expose the system to potential risks such as data tampering and cyber attacks; therefore, adhering to the policy aids in maintaining the integrity and security of the system.

    Ensure Elasticsearch Domain enforces HTTPS

    • Ensuring Elasticsearch Domain enforces HTTPS enhances the security of data in transit between the client and the server by encrypting it, which helps prevent unauthorized access and tampering.
    • This policy safeguards sensitive information in Elasticsearch Domain from being exposed during transmission, reducing the risk of data breaches or leaks due to eavesdropping on network traffic.
    • Non-compliance with this policy could potentially leave the Elasticsearch domains vulnerable to man-in-the-middle attacks where attackers could hijack the connection and steal sensitive information.
    • Implementing this policy via Infrastructure as Code (IaC) with CloudFormation allows for scalability, repeatability and helps maintain a secure configuration regardless of the environment size or complexity.

    Ensure the S3 bucket has access logging enabled

    • Enabling access logging for the S3 bucket provides detailed records for the requests made to this bucket. This is essential as it helps track any changes made to the bucket and allows for easy tracing of the activities in the event of security breaches or for general auditing.
    • It helps protect against unauthorized access or data breaches by keeping track of all the access requests including the source, time of access, the object that was accessed, and the action performed. Identifying any unexpected behavior or malicious activity becomes more efficient.
    • This access log can serve as a research base when working towards compliance with different standards or legal requirements. Companies with significant regulatory burdens can use these logs to establish patterns, corroborate events, or provide evidence in support of an investigation.
    • This policy will also provide a hindsight into the bucket’s typical usage patterns and help identify any unnecessary or redundant access actions. Such an understanding can lead to optimization of operations and cost management in relation to data storage and management in an AWS environment.

    Ensure VPC subnets do not assign public IP by default

    • Implementing this policy helps in reducing overall attack surface, as limiting the assignment of public IP addresses to VPC subnets by default reduces the number of potential targets that malicious actors can exploit.
    • It ensures an additional layer of security by controlling and monitoring the entities in the network that communicate with public networks, thereby limiting potential unauthorized access and data breaches.
    • Enforcing this policy results in network traffic to flow through designated points, creating an opportunity for centralized inspection, logging, auditing, and possible intrusion detection, which further strengthens the security posture.
    • This policy could also lead to cost savings as unnecessary assignment of public IPs could lead to unwanted egress data transfer charges. It promotes a financially efficient use of resources while maintaining optimal security.

    Ensure Kinesis Stream is securely encrypted

    • Ensuring Kinesis Stream encryption is crucial because it protects sensitive data from unauthorized access and breaches by encrypting all the data records using AWS Key Management Service (KMS) keys.
    • It safeguards the confidentiality and integrity of the data transmitted through the stream, thereby ensuring that information isn’t compromised if intercepted during transit or at rest.
    • Implementing this policy via Infrastructure as Code (IaC) using Cloudformation allows for better scalability, manageability, and consistency, preventing misconfigurations that could leave the data vulnerable.
    • Non-compliance to this policy could lead to regulatory fines if found in violation of standards like GDPR or HIPAA, which require robust measures for protection of personal data.

    Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)

    • This policy ensures that Kinesis Video Stream data is robustly encrypted for higher security, quantifying potential risks of data breaches or cyber attacks that target and exploit improperly guarded information.
    • Leveraging a customer managed Key (CMK) provides further control and flexibility, allowing users to define how the encryption keys are generated, used and rotated, enhancing the overall ownership and management on data security.
    • The policy helps in compliance with regulatory standards and legal obligations pertaining to data privacy and protection, like GDPR and HIPAA, that necessitate stringent data safeguarding measures.
    • Implementing this policy through Infrastructure as Code (IaC) with tools like Terraform makes it easier and more efficient to apply across wide-ranging AWS services, enabling faster deployment, easier auditing, and consistent application of security measures.

    Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)

    • This policy ensures that data flowing through the Kinesis Stream is securely encrypted using a Customer Managed Key (CMK), protecting sensitive information from unauthorized access.
    • The CMK encryption method enhances the security level as it gives the user more control over the encryption keys unlike the default AWS managed keys, thus preventing potential access by unwanted or unauthorized entities.
    • Implementing this policy through Infrastructure as Code (IaC) using Terraform eliminates manual errors, streamlines security deployment across multiple Kinesis streams, and ensures consistency in enforcing security practices.
    • Non-compliance with this policy can lead to potential data breaches, compliance issues, and significant reputational and financial loss if sensitive data is exposed.

    Ensure Kinesis Firehose delivery stream is encrypted

    • This policy ensures that data being streamed through the Kinesis Firehose delivery stream is encrypted, enhancing the confidentiality and integrity of the data being transmitted.
    • Enabling encryption on Kinesis Firehose Delivery Stream provides an additional layer of security and prevents unauthorized access to sensitive information, thereby complying with data protection regulations and standards.
    • Non-compliance with this policy could result in potential data breaches, legal consequences, brand reputation damage, and losing customer trust if sensitive data is left unprotected in the stream.
    • The policy is implemented using Infrastructure as Code (IaC) tool, Terraform which allows automated and consistent deployment of such security controls across the infrastructure. This greatly reduces the chances of manual error and oversight in security implementation.

    Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK

    • This policy ensures that data being transmitted via Kinesis Firehose Delivery Streams is encrypted, making it less likely to be readable or usable by unauthorized entities, hence increasing data confidentiality.
    • Utilization of Customer Master Keys (CMK) for encryption elevates protection further as CMKs are specific to each user and therefore not easily deciphered by third parties.
    • If not implemented properly, unencrypted or poorly encrypted data in the Kinesis Delivery Streams could lead to breaches of sensitive or critical information, potentially causing substantial reputation and monetary damage.
    • Implementing and enforcing this policy with Infrastructure as Code (IaC) using Terraform ensures consistency and uniformity in security across all Kinesis Firehose Delivery Streams, reducing the risk of human errors or oversights.

    Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK

    • This policy ensures that the storage used for streaming video through Kinesis on AWS Connect instances is properly encrypted using a Customer Master Key (CMK), adding an extra layer of security to protect sensitive data from unauthorized access.
    • By enforcing CMK usage, the policy allows for greater control over the cryptographic keys, as AWS clients can choose to have AWS manage keys on their behalf, or manage keys on their own both in AWS Key Management Service and on-premises.
    • Implementing the policy in Terraform ensures consistent and automated deployment, reducing human error and streamlining operations within a secure environment, thereby facilitating compliance with security best practices and standards.
    • Non-compliance with this policy could potentially expose sensitive video data to cyberthreats, leading to data breaches and non-compliance with regulatory requirements, which may result in significant financial and reputational damage for the organization.

    Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager

    • Ensuring that Elastic Load Balancer uses SSL certificates provided by AWS Certificate Manager enhances data security by encrypting the data during transmission. This makes it difficult for potential attackers to intercept sensitive information.
    • AWS Certificate Manager provides a centralized way to manage and deploy SSL certificates, thus this policy simplifies certificate administration tasks such as procurement, deployment, renewal, and deletion and thereby reduces human error and the subsequent risk of security breaches.
    • Since AWS Certificate Manager automatically handles renewals, the policy would prevent any overlooked expirations of certificate that could lead to lapse in encryption and hence compromise data security.
    • Implementing this policy with Infrastructure as Code (IaC) using Terraform facilitates automated compliance checks and policy enforcement - making it easier to maintain, replicate, and scale secure infrastructure setups.

    Ensure IAM policies that allow full *-* administrative privileges are not created

    • Restricting the creation of IAM policies that allow full ”-” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions.
    • Without this policy, there could be unrestricted access across all services within the AWS environment, increasing the risk of inadvertent modifications or deletions, possibly leading to business disruption, data loss or service unavailability.
    • Overly permissive IAM policies could potentially open up avenues for security breaches. A hacker who gains access to these permissions could take control of the entire AWS account, stealing sensitive information, or injecting malicious code.
    • Imposing this security policy encourages the adoption of role-based access control (RBAC), increasing accountability and enforceability. This can help an organization monitor and audit user actions more effectively and detect policy violations promptly.

    Ensure no IAM policies documents allow * as a statement's actions

    • This policy ensures that overly broad permissions aren’t given out, which could lead to unauthorized access. By stopping the usage of ”*” as a statement’s actions in IAM policies, it ensures that permissions are granted only to specific resources and actions.
    • Enforcing this rule prevents potential misuse or exploitation, reducing the risk of a major data breach. If compromised, an overly permissive policy can lead to substantial damage inside the AWS Infrastructure.
    • Ensuring no IAM policies allow ”*” as a statement’s actions promotes the best practice of least privilege, meaning that users, roles, or services are granted only the minimum permissions necessary to perform their tasks. This significantly minimizes the potential impact if a security breach does occur.
    • An IAM policy that allows ”*” as a statement’s actions is not compliant with industry standards and regulatory frameworks such as ISO 27001, PCI-DSS, or GDPR, potentially leading to legal implications and penalties. The enforcement of this rule keeps the infrastructure compliant.

    Ensure AWS IAM policy does not allow full IAM privileges

    • Ensuring AWS IAM policy does not allow full IAM privileges helps to reduce the risk of unauthorized access and data breaches. By limiting the powers of each IAM role, you make sure that even if an attacker somehow gains access to your AWS account, they will not have full control over all resources.
    • The existence of full IAM privileges within your AWS infrastructure makes it difficult to track and manage access to resources. It violates the principle of least privilege, which states that an entity must be able to access only the information and resources necessary for its legitimate purpose.
    • Implementing this policy aids in cloud governance and compliance. There might be legal and regulatory standards against giving unlimited access to your data and services, so by preventing full IAM privileges, you ensure your organization remains compliant and avoids potential fines or legal issues.
    • Granting full access means that any mistake or misconfiguration could potentially result in large-scale problems. For example, an erroneously executed command could delete all of your resources, or a misconfigured access control could expose your data publicly. By limiting permissions, you’re reducing the likelihood of such catastrophic errors.

    Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell

    • This policy ensures the prevention of Log4j message lookup attacks that leverage the critical vulnerability CVE-2021-44228, also known as log4jshell, which can give unauthorized remote code execution access to targeted systems, thus avoiding potential major security breaches.
    • Employing this infra security policy aids in protecting any web application associated with the AWS::WAFv2::WebACL resources from possible intrusion attempts, thereby strengthening the overall security posture of the infrastructure.
    • When implemented via Infrastructure as Code through Cloudformation, the security policy enhances automation, repeatability, and alleviates the need for manual intervention thereby reducing the risk of human error in ensuring compliance with the policy.
    • The policy regulates the AWS WAF to monitor HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, or AWS AppSync GraphQL API, thus relieving the burden on said resources from having to handle potential malicious attempts.

    Ensure IAM password policy expires passwords within 90 days or less

    • This policy is significant because it mandates the expiration of IAM account passwords within 90 days or less, encouraging users to frequently change their passwords, thereby minimizing the risk of password-related security breaches.
    • It has a direct impact on the integrity of user credentials by lowering the probability of unauthorized access due to often-used or stolen passwords, hence enhancing the security level of the entire aws_iam_account_password_policy entity.
    • Implementing this policy using Infrastructure as Code (IaC) tool like Terraform automates password expiration, making the management of the policy more efficient, and reducing potential human error.
    • Ensuring a password policy expiration also enables compliance with certain security standards and regulations which require regular password changes, making it crucial for organizations that need to meet these compliance requirements.

    Ensure IAM password policy requires minimum length of 14 or greater

    • The policy ensures that passwords used in AWS IAM have a minimum length of 14 characters, making it harder for malicious actors to guess or crack passwords, hence reducing the risk of unauthorized access to AWS resources.
    • Implementation of this policy promotes good cyber hygiene, as longer passwords often translate to a significant increase in password combinations, making brute-force attack much less feasible.
    • Non-compliance to this policy could potentially lead to exploited security vulnerabilities in infrastructure served by Terraform, thereby putting sensitive data and operations at risk of interference or theft.
    • By enforcing a minimum password length of 14 or greater, the policy contributes to the overall robustness of the IAM system, its resilience against cyber threats, and the security of the operations managed on the platform.

    Ensure IAM password policy requires at least one lowercase letter

    • This policy is critical because it demands a higher complexity for IAM passwords by enforcing the use of at least one lowercase letter, reducing the risk of brute force or dictionary attacks.
    • It enhances the security of the AWS IAM accounts by making the password harder to guess or crack, hence offering an additional layer of protection against unauthorized access.
    • Through increasing requirement for password complexity, it contributes to the conformance of security best practices and compliance requirements which often demand the inclusion of a mix of uppercase and lowercase characters.
    • Utilizing Infrastructure as Code (IaC) tools like Terraform helps ensure this policy is consistently applied across all IAM accounts, aspects of the AWS environment, thereby reducing the likelihood of human errors in policy implementation.

    Ensure IAM password policy requires at least one number

    • This policy enhances the security of IAM user accounts by requiring the inclusion of at least one numerical character in the password, making it harder for unauthorized users to guess or crack passwords.
    • By implementing this policy via Terraform, it can be ensured that it is applied consistently across the infrastructure, reducing the risk of human error and maintaining the necessary security standard.
    • It supports the best practice of password complexity to secure sensitive data and resources in an AWS environment and helps organizations comply with certain regulatory standards that dictate strong password policies.
    • The policy can potentially deter or slow down brute-force attacks that guess passwords, as the attackers have to try a larger combination of possibilities, therefore increasing the security of IAM accounts.

    Ensure IAM password policy requires at least one symbol

    • Requiring a symbol in an IAM password policy enhances security by making the password harder to guess or crack by brute-force attacks. Its complexity increases as it requires combinations of alphanumeric and special characters.
    • The policy helps to protect critical AWS resources and data as it implies a high standard of security measures are being implemented. Loss of data integrity or data breach might be greatly minimized when tougher password protocols are followed.
    • It helps organizations comply with various data protection regulations and standards, such as PCI DSS, GDPR, and ISO 27001, which demand strong access controls, including complex password policies.
    • Implementing this policy with Infrastructure as Code (IaC) as Terraform, makes it easier and more efficient to deploy across multiple accounts or regions within AWS environment. Changes can easily be tracked and reversed if necessary.

    Ensure IAM password policy requires at least one uppercase letter

    • This security policy increases the complexity of IAM passwords, making them difficult to guess or crack through methods like brute force attacks, thereby helping to safeguard IAM accounts that are vital to AWS operations.
    • If uppercase letters aren’t required in the IAM password policy, it can lead to creation of weak and easily guessable passwords, increasing the risk of unauthorized access which may lead to potential data breaches or misuse of AWS resources.
    • With this policy in place, automated tools like Terraform can consistently enforce the requirement of uppercase letters in every IAM password across the various AWS accounts, ensuring uniformity in security practices.
    • The consideration of this policy is significant for compliance with various information security standards and regulations which recommend or require passwords to contain a mix of uppercase and lowercase letters along with other character types.

    Ensure resource is encrypted by KMS using a customer managed Key (CMK)

    • Implementing this rule ensures that valuable or sensitive data stored in the ‘aws_fsx_openzfs_file_system’ resource is always encrypted using Key Management Service (KMS) with a customer managed key. This prevents unauthorized users from accessing the information.
    • This policy promotes data compliances, as encryption standards are a requirement set by regulations such as GDPR and HIPAA that mandate data to be encrypted both at rest and in transit. Violations of these regulations could lead to hefty penalties.
    • Using a customer managed key (CMK) for encryption provides the user with more granular control over the cryptographic keys, which includes key rotation, managing permissions, and auditing how keys are used.
    • The policy ensures a greater security measure against data breaches. Since the customer-managed key is used, even if the main AWS service is compromised, the encrypted data stored in the ‘aws_fsx_openzfs_file_system’ would remain secure, reducing the potential impact of hacker’s attacks.

    Ensure VPC flow logging is enabled in all VPCs

    • Enabling VPC flow logging in all VPCs provides visibility into the traffic entering and exiting the VPCs, which is essential for monitoring and troubleshooting potential network security issues.
    • VPC flow logging is key in auditing and compliance as it records and stores metadata like source and destination IP addresses, packet and byte counts, and TCP flags, amongst others, confirming or refuting compliance with established network policies.
    • Without VPC flow logging, real-time and historical analysis of the VPC’s network traffic, which can be crucial in incident response, is impossible, thereby increasing the risk of undetected malicious activities and data breaches.
    • The VPCHasFlowLog.yaml Terraform check ensures that the logging is enabled by default and therefore alleviates the manual task of enabling it each time a new VPC is created, making it more difficult for mistakes or oversights to occur that could lead to security vulnerabilities.

    Ensure EBS default encryption is enabled

    • Enabling EBS default encryption ensures that all new EBS volumes and snapshot data are automatically encrypted, reducing the risk of data leakage or unauthorized access.
    • This policy helps in compliance with regulatory standards and frameworks that require encryption of data at rest such as HIPAA, GDPR, and PCI DSS, such mitigating potential legal and financial implications.
    • It significantly simplifies the management and enforcement of data encryption, as administrators do not have to encrypt each and every volume or snapshot manually.
    • By enabling encryption by default, this policy enhances data protection in multi-tenant storage environments, reducing the potential exposure of sensitive data in the event of shared resource scenarios.

    Ensure all data stored in the EBS is securely encrypted

    • This policy ensures that customer data stored in Amazon Elastic Block Store (EBS) volumes is encrypted, providing data security and compliance with regulations that require encryption of sensitive data, thus reducing the risk of data breaches.
    • Application of this policy can prevent unauthorized disclosure of information, as all data at rest and moving between EC2 instances and EBS storage is encrypted, adding an extra layer of protection against data leaks or breaches.
    • The encryption process incorporates industry standard AES-256 encryption algorithm, providing a robust and secure method of making sure your data on the EBS is unreadable to those without appropriate access permissions.
    • An exception to this security policy might expose an organization’s data to potential cybersecurity threats, leading to financial losses, reputation damages, and non-compliance with data protection regulations.

    Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)

    • This policy ensures the security of your AWS Elastic Block Store (EBS) snapshots by enforcing encryption with a Customer Managed Key (CMK). This reduces the risk of unauthorized access to your data stored in these snapshots.
    • Not encrypting your EBS snapshots with a CMK leaves them vulnerable to data breaches, which can result to heavy financial losses and damage to your business’ reputation. The policy mitigates this risk by mandating encryption.
    • The use of a CMK provides you with full control over the key management and lifecycle including creation, rotation, and deletion. This can help your business meet your organization-specific, compliance, and regulatory requirements related to data protection.
    • Using Terraform as Infrastructure as Code (IaC) allows you to automate the compliance with this security policy. This can increase efficiency, consistency and allow for ease in scaling without requiring individual manual configuration for each EBS snapshot.

    Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)

    • This policy helps protect sensitive data stored on Elastic Block Store (EBS) volumes, as encryption with a customer managed key (CMK) significantly reduces the chances of being compromised or unauthorized access.
    • It allows users to have full control over their cryptographic keys by creating, owning, and managing their own CMKs. This is essential for organizations that are required to manage their own cryptographic materials in compliance with specific rules or regulations.
    • Any data that is written to the EBS volume, including backups, snapshots, and replicas, is automatically encrypted under this policy. This significantly simplifies data protection procedures and minimizes the possibility of unencrypted data exposure.
    • The policy ensures compliance with regulatory standards like HIPAA, GDPR, and PCI DSS which mandate encryption of sensitive data at rest. Non-compliance could lead to legal consequences and reputational damage.

    CloudFront Distribution should have WAF enabled

    • Enabling WAF (Web Application Firewall) on CloudFront distribution adds an extra layer of protection by inspecting incoming web traffic and providing a shield against common exploits like SQL Injection and Cross-Site Scripting attacks, thus reducing vulnerability.
    • As CloudFront is a content delivery service, a security gap may result in congestion, Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks on assets. Enabling WAF helps prevent such threats, maintaining the availability of services.
    • The policy ensures regulatory and compliance requirements are met, especially for businesses processing large amounts of sensitive data, by providing necessary safeguards and traffic controls on the edge locations close to the user.
    • The policy encourages the use of Infrastructure as Code (IaC), which allows for automated security checks and prevent vulnerabilities right from the development stage. This allows for quicker threat detection and reduces the risk of human error during manual inspections.

    Ensure the default security group of every VPC restricts all traffic

    • This policy aims to mitigate the risk of unauthorized access, data breaches, and potential attacks on your infrastructure by ensuring that the default security group of every Virtual Private Cloud (VPC) restricts all traffic unless explicitly allowed, making your environment more secure.
    • The policy implements Infrastructure as Code (IaC) using Terraform, facilitating automated and version-controlled security configurations. This not only ensures consistency and reproducibility across multiple environments, reducing human errors, but also enables quick responses to configuration deviations.
    • It specifically targets the aws_default_security_group and aws_vpc resources, making it highly relevant for organizations using AWS for cloud services. It ensures that your infrastructural entities are compliant with the best security practices in the industry and adhere to principles of least privilege access.
    • By enforcing this policy, organizations not only bolster their defenses against malicious parties but also create a conducive environment for achieving compliances, such as GDPR or HIPAA, which often require stringent traffic control mechanisms. It also allows for easier auditability and accountability within the organization for better governance.

    Ensure SNS topic policy is not public by only allowing specific services or principals to access it

    • This policy ensures that only specific, authorized services or principals have access to the SNS topic, thereby minimizing the likelihood of unauthorized access and information breach, maintaining data confidentiality.
    • By enforcing granular access control, the policy helps to prevent misuse of the SNS topic for the distribution of offensive, harmful, or misleading content by unknown or unauthorized entities, ensuring the credibility and integrity of the messages.
    • The policy prevents potential Denial of Service (DoS) attacks where mass requests from public could overwhelm the SNS topic, ensuring service availability for genuine users.
    • Utilizing this policy augments regulatory compliance by promoting best-practice security controls, potentially aiding in GDPR, HIPAA, PCI-DSS alignment, and being audit-ready.

    Ensure SageMaker Notebook is encrypted at rest using KMS CMK

    • This policy aims to safeguard sensitive data processed or stored in the SageMaker Notebook by encrypting it at rest using Key Management Service (KMS) Customer Master Key (CMK), reducing the risk of unauthorized access or data exposure.
    • Encryption using KMS CMK provides an additional layer of security beyond the default AWS managed keys, as the customer has direct control over the CMK, including its rotation and revocation, increasing data security and compliance standards.
    • Failing to use encryption at rest could result in non-compliance with data protection regulations and organizations might face hefty fines or other legal consequences.
    • This policy also supports Infrastructure as Code (IaC) practices by leveraging Terraform scripts for resource implementation, allowing efficient deployment, versioning, and management of the AWS resources and security settings.

    Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest

    • This policy ensures the integrity and confidentiality of sensitive data by encrypting it when it’s not in use, reducing the risk of data breaches and unauthorized access that could result in severe fines and damage to brand reputation.
    • Using secure encryption methods in AWS Sagemaker Endpoint configurations can protect the data against potential threats such as hacking attempts, internal misuse, or inadvertent data leakage, thereby enhancing data privacy and compliance with legal and regulatory data protection standards.
    • The policy also provides a security feature to safeguard in-transit data (when moving from one location to another) by enforcing server-side encryption which makes it unreadable until it is decrypted with the correct key.
    • With the Infrastructure as Code (IaC) approach such as Terraform, infrastructure becomes easier to manage, audit, and reproduce, facilitating automation of this policy across various stages of the development life cycle, thereby ensuring continuous security and compliance enforcement.

    Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)

    • This policy ensures the encryption of the data within the Sagemaker domain, providing additional security measures by preventing unauthorized users from reading or manipulating the data. Encryption effectively renders data useless to those who do not possess the correct decryption key.
    • The use of a Customer Managed Key (CMK) provides greater control and flexibility over your AWS KMS keys. This allows you to establish and enforce your own key policies, usage permissions, and its lifecycle, thereby giving you full control over your data security.
    • Without this policy, Sagemaker domains could be left vulnerable to data breaches or unauthorized access. This could result in sensitive information being exposed, and can lead to loss of data integrity and breach of compliance requirements.
    • Utilizing the Infrastructure as Code (IaC) tool Terraform in the implementation of this policy can lead to more efficient and effective security management processes. This method eliminates risks associated with manual configuration and promotes consistency, repeatability, and scalability of infrastructure across different cloud environments.
    HIPAAISO 27002:2022
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.