The repository contains the Sentinel policies for AWSCC provider that implement the CIS AWS Foundations Benchmark controls.
Note
Few of the checks were initially written manually and the rest were auto generated using Q chat on a terminal requiring examples to test agains. Do review the GitHub actions summary to view if any of the policy checks have any issues on testing.
These policies are designed to work with the AWS Cloud Control (AWSCC) provider and follow the same patterns and conventions as the AWS provider policies. They can be used to enforce best practices and security standards across your AWS environment managed with the AWSCC provider.
For more details on how to work with these policies and to understand the Sentinel language and framework, please refer to the Sentinel documentation or the README documentation included with each of the policy libraries.
- Cloudtrail S3 Bucket should have access logging enabled (code)
- Cloudtrail Cloudwatch Logs Group Arn is set (code)
- Cloudtrail LogFile Validation is enabled (code)
- Cloudtrail S3 Bucket should not be public (code)
- CloudTrail should have encryption at-rest enabled (code)
- S3 general purpose buckets should have block public access settings enabled at a bucket level (code)
- Ensure that Object-level logging for events is enabled for S3 buckets (code)
- S3 general purpose buckets should require ssl for all requests (code)
- AWS EBS volumes are encrypted (code)
- Ensure VPC flow logging is enabled in all VPCs (code)
- Ensure that encryption is enabled for EFS file systems (code)
- AWS KMS key rotation should be enabled (code)
- Ensure that encryption-at-rest is enabled for RDS Instances (code)
- Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances (code)
- Ensure that public access is not given to RDS Instance (code)
The policies in this directory are implemented for the AWSCC provider based on the AWS provider policies. Some key points to note:
-
Resource Structure Differences: The AWSCC provider has different resource structures compared to the AWS provider for some resources. The policies have been adapted to work with these differences.
-
Missing Policies: Some policies from the AWS provider may not be implemented for the AWSCC provider due to resource unavailability or significant differences in resource structure.
This getting started guide assumes that:
-
You are familiar with core workflows in HCP Terraform and Terraform Enterprise, and you have an existing workspace configured with AWS access credentials.
-
You have a user account that is part of the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.
-
Ensure you are using HCP Terraform or Terraform Enterprise v202312-1 or a later version.
-
You are using Sentinel version 0.26.x or later.
By default, the module will enable all policies within the library, and they will be enforced by the HCP Platform with the enforcement_level set to advisory only.
Example:
policy "rds-encryption-at-rest-enabled" {
source = "./policies-awscc/rds/rds-encryption-at-rest-enabled.sentinel"
enforcement_level = "advisory"
}
If you want to enable only a subset of the policies or change the enforcement levels to either soft-mandatory or hard-mandatory, we recommend updating the contents of the sentinel.hcl file in each library before applying the Terraform configuration.