Pre-written Sentinel Policies for AWS PCI DSS

Pre-written Sentinel policies are ready to use compliance checks for PCI DSS to help enable your AWS resources meet industry standards.

At HashiCorp, we’re committed to making policy management easier for our customers. We understand that developing policies from scratch can be time-consuming and resource-intensive. To address this, we’re introducing our Prewritten Policy Libraries—expertly crafted, ready-to-use policies designed to streamline your compliance processes and enhance security across your infrastructure.

These policies, tailored for organizations that handle payment card data or process financial transactions, will enable users to continuously evaluate, enforce, and demonstrate adherence to PCI DSS controls across their HCP Terraform cloud and TFE environments.

For more details on how to work with these policies and to understand the Sentinel language and framework, please refer to the Sentinel documentation or the README documentation included with each of the policy libraries.

Feedback

We aim to validate the effectiveness of our policies by collecting diverse user feedback and understanding real-world use cases. This input will help refine our policies and enhance their overall impact.

1. You can submit your feedback via a public survey.

2. If you have any issues or enhancement suggestions to the library, please create a new GitHub issue.

3. Alternatively, we welcome any contributions that improve the impact of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.

Getting Started

This getting started guide assumes that:

1. You are familiar with core workflows in HCP Terraform and Terraform Enterprise, and you have an existing workspace configured with AWS access credentials.

   Tip: If you do not have these prerequisites, please refer to the Use VCS-Driven Workflow and Create a Variable Set tutorials for guidance.

2. You have a user account that is part of the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.

3. Ensure you are using HCP Terraform or Terraform Enterprise v202312-1 or a later version.

4. You are using Sentinel version 0.26.x and later version.

By default, the module will enable all policies within the library, and they will be enforced by the HCP Platform with the enforcement_level set to advisory only.

Example:

policy "iam-password-policy-strong-configuration" {
  source = "./policies/iam/iam-password-policy-strong-configuration.sentinel"
  enforcement_level = "advisory"
  params = {
    minimum_password_length_param = 14
  }
}

If you want to enable only a subset of the policies or change the enforcement levels to either soft-mandatory or hard-mandatory, we recommend updating the contents of the sentinel.hcl file in each library before applying the Terraform configuration.

Important: The policies in each library are opinionated and depend on several Sentinel modules. To learn more about modules, please refer to the Sentinel module documentation.

To learn more about how to configure a policy set as a policy evaluation, please review the Terraform Enterprise provider documentation.

Consuming Pre-Written Sentinel Policies for AWS PCI DSS

Following methods outlines various ways to consume and implement pre-written Sentinel policies for the AWS PCI DSS framework. These policies can be used in both Terraform Enterprise (TFE) and HCP Terraform environments. Below are the recommended methods for integrating these policies into your workflows.

Terraform Registry Method:

• Navigate to the Terraform Registry and select the desired Sentinel policy.
• Copy the provided policy snippet from the registry.
• Create a GitHub repository (or use an existing one) to store your policies.
• Add a Sentinel.hcl file to the repository and paste the copied policy snippet(s) into this file.
• Connect the repository to HCP Terraform or Terraform Enterprise using the VCS (Version Control System) workflow.
• Trigger policy execution automatically during the plan stage in HCP Terraform or Terraform Enterprise.

Using the Public GitHub Repository:

• Access the public GitHub repository containing the policy library.
• You can directly use the repository as-is or fork it to customize the policies for your specific requirements.
• If forking, ensure you sync your fork with the upstream repository periodically to stay updated with the latest changes.
• Avoid using the default branch for consumption in HCP Terraform or Terraform Enterprise. Instead, use the release branches for better stability.
• Attach the repository (or your fork) to HCP Terraform or Terraform Enterprise using the VCS workflow.
• Run a Terraform plan to execute the policies during the post-plan stage.

Notes and Best Practices

• These policies are compatible with both HCP Terraform (HCPT) and Terraform Enterprise (TFE). Ensure your workflow is configured accordingly.
• When using the public GitHub repository, it is recommended to use release branches for stability and avoid consuming policies directly from the default branch.
• Regularly update your policies to align with the latest PCI DSS standards and Terraform best practices.
• Customize policies as needed to meet your organization's specific compliance and security requirements.

Resources

• Get Started - HCP Terraform
• Connecting VCS Providers to HCP Terraform
• Policy Enforcement
• Managing Policy Sets
• Introduction to Sentinel
• Sentinel Documentation
• Sentinel Language
• Sentinel Language Specification
• Policy Libraries

Policies Included

• This policy checks if resources of type 'aws_redshift_cluster' have the (docs | code)

• This policy requires resources of type aws_dms_endpoint have attribute "ssl_mode" set to one of: require, verify-ca, verify-full. (docs | code)

• This policy requires resources of type aws_elasticsearch_domain have the log_publishing_options should have 'enabled' attribute set to true and 'log_type' set to 'AUDIT_LOGS'. (docs | code)

• This policy requires resources of type aws_elasticsearch_domain have the tls_security_policy set to latest policy that is 'Policy-Min-TLS-1-2-PFS-2023-10' and 'enforce_https' set to true for domain_endpoint_options attribute. (docs | code)

• This control checks if Amazon S3 logs for an 'aws_codebuild_project' are encrypted. (docs | code)

• This policy requires that the aws_elasticache_replication_group resource with engine_version (docs | code)

• This control checks whether 'aws_cloudfront_distribution' are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. (docs | code)

• This control checks whether server access logging is enabled on 'aws_cloudfront_distribution'. (docs | code)

• This control checks whether 'aws_guardduty_detector' is enabled in your GuardDuty account and Region. (docs | code)

• This policy checks if resources of type 'aws_opensearch_domain' have the 'enable' attribute set to true and 'log_type' set to 'AUDIT_LOGS' (docs | code)

• This policy requires aws_network_acl resources to have 'subnet_ids' present. (docs | code)

• This policy requires resources of type aws_vpc to have no traffic for default security group. (docs | code)

• This policy checks if 'aws_eks_cluster' does not (docs | code)

• This policy checks if 'aws_eks_cluster' uses KMS (docs | code)

• This policy checks if 'aws_eks_cluster' resources have (docs | code)

• This control checks whether an Amazon Aurora PostgreSQL DB cluster is configured to publish logs to Amazon CloudWatch Logs. (docs | code)

• This policy verifies if the attributes of the 'aws_s3_bucket_public_access_block' (docs | code)

• This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. (docs | code)

• This policy checks if resources of type 'aws_dms_replication_instance' have the 'auto_minor_version_upgrade' (docs | code)

• This policy requires resources of type aws_elasticsearch_domain have the subnet_ids should not be empty inside 'vpc_options'. (docs | code)

• This policy checks if resources of type 'aws_rds_cluster' have the 'master_username' (docs | code)

• This policy requires that resources of type aws_cloudtrail have server-side encryption enabled. (docs | code)

• This policy checks if resources of type 'aws_redshift_cluster' referenced to the (docs | code)

• This policy checks whether logging is enabled for an 'aws_waf_web_acl'. (docs | code)

• This policy checks whether 'aws_cloudfront_distribution' are associated with either AWS WAF Classic or AWS WAF web ACLs. (docs | code)

• This policy requires resources of type aws_secretsmanager_secret should be configured for automatic rotation. (docs | code)

• This policy requires resources of type aws_acm_certificate with rsa key algorithm should have atleast 2048 bits key length. (docs | code)

• This policy checks if resources of type 'aws_dms_replication_task' have the 'replication_task_settings' (docs | code)

• This policy checks if resources of type 'aws_dms_replication_task' have the 'replication_task_settings' for target database logging enabled (docs | code)

• This policy checks if resources of type 'aws_dms_endpoint' have the 'certificate_arn' (docs | code)

• This policy requires AWS Step Functions state machines to have logging configuration enabled with level set to "ALL", "ERROR", or "FATAL". (docs | code)

• This policy requires aws_cloudwatch_event_bus resources to be attached to a policy. (docs | code)

• This policy ensures that Amazon Inspector Lambda code scanning is enabled (docs | code)

• This policy requires resources of type aws_efs_access_point have attribute posix_user should be defined. (docs | code)

• This policy requires resources of type aws_elasticsearch_domain have the encrypt_at_rest should have 'enabled' attribute set to true. (docs | code)

• This control checks whether 'aws_guardduty_detector' S3 Protection is enabled. (docs | code)

• S3 general purpose buckets should block public read access (docs | code)

• This policy requires aws_subnet resources to have attribute 'map_public_ip_on_launch' to be false. (docs | code)

• This policy checks if classic load balancers with SSL listeners (docs | code)

• This policy requires resources of type aws_db_instance to have enabled_cloudwatch_logs_exports set to valid array of values. (docs | code)

• This policy checks if resources of type 'aws_dms_endpoint' have the 'ssl_security_protocol' (docs | code)

• This policy requires that the elasticbeanstalk environment have platform updates enabled (docs | code)

• This policy checks if resources of type 'aws_redshift_cluster' have the 'publicly_accessible' (docs | code)

• This policy checks if resources of type 'aws_launch_template' have the attribute (docs | code)

• This control checks whether 'aws_guardduty_detector_feature' EKS Runtime Monitoring with automated agent management is enabled. (docs | code)

• IAM policies should not allow administrator privileges to users/roles/groups. (docs | code)

• This policy checks if application load balancers are configured (docs | code)

• This control checks whether an Amazon RDS for PostgreSQL DB instance is configured to publish logs to Amazon CloudWatch Logs. (docs | code)

• S3 Buckets should have object lock enabled (docs | code)

• S3 Buckets should have cross-region replication enabled (docs | code)

• This policy requires that the aws_dax_cluster resource has cluster_endpoint_encryption_type attribute set to TLS (docs | code)

• This policy requires block public access setting is enabled and any port other than 22 should not be allowed (docs | code)

• This policy checks whether OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. (docs | code)

• This policy checks if resources of type 'aws_ecr_repository' have (docs | code)

• This policy checks if resources of type 'aws_ecs_service' have (docs | code)

• This policy requires that the elasticbeanstalk environment have cloudwatch log streaming enabled (docs | code)

• This policy checks if resources of type 'aws_mq_broker' have the 'auto_minor_version_upgrade' (docs | code)

• This policy requires resources of type aws_elasticsearch_domain have the enabled value set to 'true' for node_to_node_encrytion attribute. (docs | code)

• This policy checks if resources of type 'aws_opensearch_domain' have the 'auto_software_update_enabled' attribute set to true (docs | code)

• This control checks whether the 'aws_lambda_function' resource-based policy prohibits public access outside of your account. (docs | code)

• This control checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone. (docs | code)

• This policy checks if the aws rds instances are publicly accessible (docs | code)

• This policy checks if resources of type 'aws_dms_endpoint' have the 'auth_mechanism' (docs | code)

• This policy ensures that Amazon Inspector EC2 scanning is enabled (docs | code)

• This policy requires resources of type aws_mskconnect_connector to have encryption in transit enabled. (docs | code)

• This policy requires that the auto_minor_version_upgrade attribute of the aws_elasticache_cluster or aws_elasticache_replication_group (docs | code)

• This policy checks if resources of type 'aws_mq_broker' have the attribute 'logs' with parameter (docs | code)

• This policy requires resources of type aws_cloudtrail to have log file validation enabled. (docs | code)

• This control checks whether 'aws_cloudfront_distribution' are encrypting traffic to custom origins. (docs | code)

• This control checks whether an 'aws_cloudfront_distribution' is configured to return a specific object (docs | code)

• S3 general purpose buckets should block public write access (docs | code)

• This policy requires aws_autoscaling_group resources to be associated with load balancers and to have attribute 'health_check_health_check_type' should be 'ELB'. (docs | code)

• This policy requires resources of type aws_ecs_task_set have attribute assign_public_ip should be false. (docs | code)

• This policy mandates all requests to 'aws_s3_bucket' resources to use ssl using 'aws_s3_bucket_policy' resource. (docs | code)

• This policy requires attribute 'enable_cloudwatch_logs_exports' to contain 'audit' for 'aws_neptune_cluster' resources (docs | code)

• This policy requires aws_ebs_snapshot_block_public_access resources to have attribute state to either 'block-new-sharing' or 'block-all-sharing'. (docs | code)

• WAFv2 Web ACLs should have logging enabled (docs | code)

• This policy requires resources of type aws_launch_configuration should have 'associate_public_ip_address' set to false. (docs | code)

• This policy checks if resources of type 'aws_ecs_service' with (docs | code)

• This policy checks if resources of type 'aws_docdb_cluster' have the 'backup-retention-period' (docs | code)

• IAM users should not be directly attached to IAM policies. (docs | code)

• This policy checks if resources of type 'aws_docdb_cluster' have the 'enabled_cloudwatch_logs_exports attribute' (docs | code)

• This policy requires that the aws_iam_account_password_policy resource (docs | code)

• Lambda.3 (docs | code)

• This policy checks if the container definitions contain non allow listed (docs | code)

• This policy requires resources of type 'aws_instance' or 'aws_ec2_instance_metadata_defaults' to have 'http_tokens' attribute set to 'required'. (docs | code)

• This policy checks if 'aws_eks_cluster' resources have (docs | code)

• S3 Buckets should have encryption enabled at rest with AWS KMS Key (docs | code)

• This policy requires resources of type aws_network_acl and aws_network_acl_rule (docs | code)

• This policy requires AWS Transfer Servers shouldn't contain "FTP" for the attribute protocols. (docs | code)

• This policy ensures that Amazon Inspector ECR scanning is enabled (docs | code)

• This policy checks if 'aws_apigatewayv2_stage' have access logging configured. (docs | code)

• This policy ensures that application load balancer in the terraform configurations (docs | code)

• This policy checks if resources of type 'aws_rds_cluster' with 'aurora-mysql' engine (docs | code)

• This control checks whether an 'aws_cloudfront_distribution' requires viewers to use HTTPS directly or whether it uses redirection. (docs | code)

• This policy checks if resources of type 'aws_vpn_connection' have the cloudwatch logs (docs | code)

• This policy requires resources of type aws_appsync_graphql_api have attribute log_config with field_log_level set to ERROR or ALL. (docs | code)

• This policy requires that the transit_encryption_enabled attribute of the aws_elasticache_replication_group resource is true. (docs | code)

• This policy checks if resources of type 'aws_elb' have listeners (docs | code)

• This control checks whether 'aws_lambda_function' runtime settings match the expected values set for the supported runtimes in each language. (docs | code)

• This policy checks if resources of type 'aws_sagemaker_notebook_instance' have the 'direct_internet_access' (docs | code)

• This policy checks if resources of type 'aws_dms_replication_instance' have the 'publicly_accessible' (docs | code)

• This policy checks if resources of type 'aws_msk_cluster' have the 'in_cluster' (docs | code)

• This policy checks if resources of type 'aws_opensearch_domain' have the 'enable' attribute set to true (docs | code)

• This policy requires resources of type aws_s3_access_point to have all attributes (docs | code)

• This policy checks if resources of type 'aws_db_instance' have the 'username' (docs | code)

• This policy checks if resources of type 'aws_ec2_client_vpn_endpoint' have the cloudwatch logs (docs | code)

• This policy ensures that Amazon Inspector Lambda standard scanning is enabled (docs | code)

• This policy requires resources of type aws_security_group, aws_security_group_rule and aws_vpc_security_group_ingress_rule (docs | code)

• This policy requires resources of type aws_vpc and aws_default_vpc to have flow logs enabled. (docs | code)

• This policy checks whether 'aws_cloudfront_distribution' are pointing to non-existent Amazon S3 origins. (docs | code)

• This policy requires resources of type aws_cloudtrail to have cloudwatch log group arn set. (docs | code)

• This policy checks if CloudTrail S3 buckets have access logging enabled. (docs | code)

• This policy checks if application load balancer resources have valid desync mitigation mode configured (docs | code)

• This policy checks if classic load balancer resources have valid desync mitigation mode configured (docs | code)

• This policy requires resources of type aws_db_instance have attribute "auto_minor_version_upgrade" set to true. (docs | code)

• This policy verifies if the attributes of the 'aws_s3_account_public_access_block' (docs | code)

• Ensure IAM password policy requires at least one lowercase letter (docs | code)

• This policy checks if resources of type 'aws_launch_template' have the attribute (docs | code)

• Ensure IAM password policy requires at least one number (docs | code)

• AWS Security Group should not allow ingress traffic from 0.0.0.0/0 or ::/0 to port 22 (docs | code)

• AWS Security Group should not allow ingress traffic from 0.0.0.0/0 or ::/0 to port 3389 (docs | code)

• AWS Security Group should not allow ingress traffic from 0.0.0.0/0 to port 22 and 3389 (docs | code)

• AWS Security Group should not allow ingress traffic from ::/0 to port 22 and 3389 (docs | code)

• CloudTrail S3 bucket should not be publicly accessible (docs | code)

• Password policies for IAM users should have strong configurations (docs | code)

• Ensure that Object-level logging for read events is enabled for S3 buckets (docs | code)

• Ensure that Object-level logging for write events is enabled for S3 buckets (docs | code)

• Ensure IAM password policy prevents password reuse (docs | code)

• Ensure IAM password policy requires at least one uppercase letter (docs | code)

• Ensure IAM password policy expires within 90 days (docs | code)