cdklabs.cdk-validator-cfnguard 0.0.42

@cdklabs/cdk-validator-cfnguard

CDK CFN Guard Validator Plugin

---

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

---

Installing

TypeScript/JavaScript

npm install @cdklabs/cdk-validator-cfnguard

Python

pip install cdklabs.cdk-validator-cfnguard

Java

// add this to your pom.xml
<dependency>
    <groupId>io.github.cdklabs</groupId>
    <artifactId>cdk-validator-cfnguard</artifactId>
    <version>0.0.0</version> // replace with version
</dependency>

.NET

dotnet add package Cdklabs.CdkValidatorCfnGuard --version X.X.X

Usage

To use this plugin in your CDK application add it to the CDK App.

App(
    policy_validation_beta1=[
        CfnGuardValidator()
    ]
)

By default the CfnGuardValidator plugin comes with the Control Tower proactive controls enabled. In order to disable these rules you can use the controlTowerRulesEnabled: false property.

CfnGuardValidator(
    control_tower_rules_enabled=False
)

It is also possible to disable individual rules.

CfnGuardValidator(
    disabled_rules=["ct-s3-pr-1"
    ]
)

Additional rules

To provide additional rules to the plugin, provide a list of local file or directory paths.

CfnGuardValidator(
    rules=["path/to/local-rules-directory", "path/to/s3/local-rules/my-rule.guard"
    ]
)

If the path provided is a directory then the directory must only contain guard rule files, and all rules within the directory will be used.

Using the bundled Control Tower proactive controls in CDK

The bundled Control Tower proactive controls use CloudFormation Guard policies that are also used in managed controls from the Control Tower service. You can use these CDK bundled controls without having a Control Tower environment in AWS, but there are many benefits to using the two together.

When you enable Control Tower proactive controls in your Control Tower environment, the controls can stop the deployment of non-compliant resources deployed via CloudFormation. For more information about managed proactive controls and how they work, see the Control Tower documentation.

These CDK bundled controls and managed Control Tower proactive controls are best used together. In this scenario you can configure this validation plugin with the same proactive controls that are active in your Control Tower cloud environment. You can then quickly gain confidence that your CDK application will pass the Control Tower controls by running cdk synth locally or in a pipeline as described above.

Regardless of whether you or your organization use Control Tower, however, you should understand the following things about these bundled controls when run locally using this plugin:

1. These CloudFormation guard policies accept a limited subset of CloudFormation syntax for the properties they evaluate. For instance, a property called EncryptionEnabled may pass if it is specified with the literal value true, but it may fail if it is specified with a reference to a CloudFormation stack parameter instead. Similarly, if a rule checks for a string value, it may fail for Fn::Join objects. If you discover that a rule can be bypassed with a particular configuration of a resource, please file an issue.
2. Some rules may check references to other resources, but this reference checking is limited. For instance, a rule may require that an access logging bucket is specified for each S3 bucket. In this case, the rule can check whether you have passed a reference to a bucket in the same template, but it cannot verify that a hardcoded bucket name like "examplebucket" actually refers to a real bucket or a bucket you own.

You can add a layer of security protection by enabling the same proactive controls in your Control Tower cloud environment. There are different considerations for using these controls since they operate in a different way. For more information, see the Control Tower proactive controls documentation.

If you do not yet have a Control Tower environment, see What is AWS Control Tower?.

Bundled Control Tower Rules

ID	Name	Evaluated Resource Types
CT.ACM.PR.1	Require an AWS Private CA certificate to have a single domain name	AWS::CertificateManager::Certificate
CT.APIGATEWAY.PR.1	Require an Amazon API Gateway REST and WebSocket API to have logging activated	AWS::ApiGateway::Stage
CT.APIGATEWAY.PR.2	Require an Amazon API Gateway REST API stage to have AWS X-Ray tracing activated	AWS::ApiGateway::Stage
CT.APIGATEWAY.PR.3	Require that an Amazon API Gateway REST API stage has encryption at rest configured for cache data	AWS::ApiGateway::Stage
CT.APIGATEWAY.PR.4	Require an Amazon API Gateway V2 stage to have access logging activated	AWS::ApiGatewayV2::Stage
CT.CLOUDFRONT.PR.1	Require an Amazon CloudFront distribution to have a default root object configured	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.2	Require any Amazon CloudFront distributions with Amazon S3 backed origins to have an origin access identity configured	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.3	Require an Amazon CloudFront distribution to have encryption in transit configured	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.4	Require an Amazon CloudFront distribution to have origin failover configured	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.5	Require any Amazon CloudFront distribution to have logging enabled	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.6	Require an Amazon CloudFront distribution to use custom SSL/TLS certificates	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.7	Require an Amazon CloudFront distribution to use SNI to serve HTTPS requests	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.8	Require an Amazon CloudFront distribution to encrypt traffic to custom origins	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.9	Require an Amazon CloudFront distribution to have a security policy of TLSv1.2 as a minimum	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.10	Require any Amazon CloudFront distributions with Amazon S3 backed origins to have origin access control configured	AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.11	Require an Amazon CloudFront distribution to use updated SSL protocols between edge locations and custom origins	AWS::CloudFront::Distribution
CT.CLOUDTRAIL.PR.1	Require an AWS CloudTrail trail to have encryption at rest activated	AWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.2	Require an AWS CloudTrail trail to have log file validation activated	AWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.3	Require an AWS CloudTrail trail to have an Amazon CloudWatch log group configuration	AWS::CloudTrail::Trail
CT.CODEBUILD.PR.1	Require OAuth on GitHub or Bitbucket source repository URLs for AWS CodeBuild projects	AWS::CodeBuild::Project
CT.CODEBUILD.PR.2	Require any AWS CodeBuild project environment variable to encrypt credentials in environment variables	AWS::CodeBuild::Project
CT.CODEBUILD.PR.3	Require any AWS CodeBuild project environment to have logging configured	AWS::CodeBuild::Project
CT.CODEBUILD.PR.4	Require any AWS CodeBuild project to deactivate privileged mode when running	AWS::CodeBuild::Project
CT.CODEBUILD.PR.5	Require encryption on all AWS CodeBuild project artifacts	AWS::CodeBuild::Project
CT.CODEBUILD.PR.6	Require encryption on all Amazon S3 logs for AWS CodeBuild projects	AWS::CodeBuild::Project
CT.DAX.PR.1	Require encryption at rest for all Amazon DynamoDB Accelerator (DAX) clusters	AWS::DAX::Cluster
CT.DMS.PR.1	Require that a public AWS DMS replication instance is not public	AWS::DMS::ReplicationInstance
CT.DYNAMODB.PR.1	Require that point-in-time recovery for an Amazon DynamoDB table is activated	AWS::DynamoDB::Table
CT.EC2.PR.1	Require an Amazon EC2 launch template to have IMDSv2 configured	AWS::EC2::LaunchTemplate
CT.EC2.PR.2	Require that Amazon EC2 launch templates restrict the token hop limit to a maximum of one	AWS::EC2::LaunchTemplate
CT.EC2.PR.3	Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443	AWS::EC2::SecurityGroup AWS::EC2::SecurityGroupIngress
CT.EC2.PR.4	Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for specific high-risk ports	AWS::EC2::SecurityGroup AWS::EC2::SecurityGroupIngress
CT.EC2.PR.5	Require any Amazon EC2 network ACL to prevent ingress from 0.0.0.0/0 to port 22 or port 3389	AWS::EC2::NetworkAclEntry
CT.EC2.PR.6	Require that Amazon EC2 transit gateways refuse automatic Amazon VPC attachment requests	AWS::EC2::TransitGateway
CT.EC2.PR.7	Require that an Amazon EBS volume attached to an Amazon EC2 instance is encrypted at rest	AWS::EC2::Instance AWS::EC2::Volume
CT.EC2.PR.8	Require any Amazon EC2 instance to have a non-public IP address	AWS::EC2::Instance
CT.EC2.PR.9	Require any Amazon EC2 launch template not to auto-assign public IP addresses to network interfaces	AWS::EC2::LaunchTemplate
CT.EC2.PR.10	Require Amazon EC2 launch templates to have Amazon CloudWatch detailed monitoring activated	AWS::EC2::LaunchTemplate
CT.EC2.PR.11	Require that an Amazon EC2 subnet does not automatically assign public IP addresses	AWS::EC2::Subnet
CT.EC2.PR.12	Require an Amazon EC2 instance to configure one ENI only	AWS::EC2::Instance
CT.ECR.PR.1	Require Amazon ECR repositories to have a lifecycle policy configured	AWS::ECR::Repository
CT.ECR.PR.2	Require Amazon ECR private repositories to have image scanning enabled	AWS::ECR::Repository
CT.ECR.PR.3	Require Amazon ECR private repositories to have tag immutability enabled	AWS::ECR::Repository
CT.ECS.PR.1	Require AWS ECS Fargate Services to run on the latest Fargate platform version	AWS::ECS::Service
CT.ECS.PR.2	Require any Amazon ECS cluster to have container insights activated	AWS::ECS::Cluster
CT.ECS.PR.3	Require any Amazon ECS task definition to specify a user that is not the root	AWS::ECS::TaskDefinition
CT.ECS.PR.4	Require Amazon ECS tasks to use 'awsvpc' networking mode	AWS::ECS::TaskDefinition
CT.ECS.PR.5	Require an active Amazon ECS task definition to have a logging configuration	AWS::ECS::TaskDefinition
CT.ECS.PR.6	Require Amazon ECS containers to allow read-only access to the root filesystem	AWS::ECS::TaskDefinition
CT.ECS.PR.7	Require an Amazon ECS task definition to have a specific memory usage limit	AWS::ECS::TaskDefinition
CT.ECS.PR.8	Require Amazon ECS task definitions to have secure networking modes and user definitions	AWS::ECS::TaskDefinition
CT.ECS.PR.9	Require Amazon ECS services not to assign public IP addresses automatically	AWS::ECS::Service
CT.ECS.PR.10	Require that Amazon ECS task definitions do not share the host's process namespace	AWS::ECS::TaskDefinition
CT.ECS.PR.11	Require an Amazon ECS container to run as non-privileged	AWS::ECS::TaskDefinition
CT.ECS.PR.12	Require that Amazon ECS task definitions do not pass secrets as container environment variables	AWS::ECS::TaskDefinition
CT.ELASTICBEANSTALK.PR.1	Require AWS Elastic Beanstalk environments to have enhanced health reporting enabled	AWS::ElasticBeanstalk::Environment AWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICBEANSTALK.PR.2	Require an AWS Elastic Beanstalk environment to have managed platform updates configured	AWS::ElasticBeanstalk::Environment AWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICFILESYSYSTEM.PR.1	Require an Amazon EFS file system to encrypt file data at rest using AWS KMS	AWS::EFS::FileSystem
CT.ELASTICFILESYSYSTEM.PR.2	Require an Amazon EFS volume to have an automated backup plan	AWS::EFS::FileSystem
CT.ELASTICFILESYSYSTEM.PR.3	Require Amazon EFS access points to have a root directory	AWS::EFS::AccessPoint
CT.ELASTICFILESYSYSTEM.PR.4	Require Amazon EFS access points to enforce a user identity	AWS::EFS::AccessPoint
CT.ELASTICLOADBALANCING.PR.1	Require any application load balancer listener default actions to redirect all HTTP requests to HTTPS	AWS::ElasticLoadBalancingV2::Listener
CT.ELASTICLOADBALANCING.PR.2	Require any Amazon ELB application or network load balancer to have an AWS Certificate Manager certificate	AWS::ElasticLoadBalancingV2::Listener AWS::ElasticLoadBalancingV2::ListenerCertificate
CT.ELASTICLOADBALANCING.PR.3	Require any application load balancer to have defensive or strictest desync mitigation mode activated	AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.4	Require that any application load balancer must be configured to drop HTTP headers	AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.5	Require that application load balancer deletion protection is activated	AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.6	Require that application and network load balancer access logging is activated	AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.7	Require any classic load balancer to have multiple Availability Zones configured	AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.8	Require any classic load balancer SSL/HTTPS listener to have a certificate provided by AWS Certificate Manager	AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.9	Require that an AWS ELB application or classic load balancer listener is configured with HTTPS or TLS termination	AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.10	Require an ELB application or classic load balancer to have logging activated	AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.11	Require any ELB classic load balancer to have connection draining activated	AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.12	Require any ELB classic load balancer SSL/HTTPS listener to have a predefined security policy with a strong configuration	AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.13	Require any ELB classic load balancer to have cross-zone load balancing activated	AWS::ElasticLoadBalancing::LoadBalancer
CT.GUARDDUTY.PR.1	Require an Amazon GuardDuty detector to have Amazon S3 protection activated	AWS::GuardDuty::Detector
CT.IAM.PR.1	Require that an AWS Identity and Access Management (IAM) inline policy does not have a statement that includes "*" in the Action and Resource elements	AWS::IAM::Policy AWS::IAM::Role AWS::IAM::User AWS::IAM::Group
CT.IAM.PR.2	Require that AWS Identity and Access Management (IAM) customer-managed policies do not contain a statement that includes "*" in the Action and Resource elements	AWS::IAM::ManagedPolicy
CT.IAM.PR.3	Require that AWS Identity and Access Management (IAM) customer-managed policies do not have wildcard service actions	AWS::IAM::ManagedPolicy
CT.IAM.PR.4	Require that an AWS Identity and Access Management (IAM) user does not have an inline or managed policy attached attached	AWS::IAM::User AWS::IAM::Policy AWS::IAM::ManagedPolicy
CT.IAM.PR.5	Require that AWS Identity and Access Management (IAM) inline policies do not have wildcard service actions	AWS::IAM::Policy AWS::IAM::Role AWS::IAM::User AWS::IAM::Group
CT.KINESIS.PR.1	Require any Amazon Kinesis data stream to have encryption at rest configured	AWS::Kinesis::Stream
CT.KMS.PR.1	Require any AWS KMS key to have rotation configured	AWS::KMS::Key
CT.LAMBDA.PR.2	Require AWS Lambda function policies to prohibit public access	AWS::Lambda::Permission
CT.NETWORK-FIREWALL.PR.1	Require any AWS Network Firewall firewall policy to have an associated rule group	AWS::NetworkFirewall::FirewallPolicy
CT.NETWORK-FIREWALL.PR.2	Require any AWS Network Firewall firewall policy to drop or forward stateless full packets by default when they do not match a rule	AWS::NetworkFirewall::FirewallPolicy
CT.NETWORK-FIREWALL.PR.3	Require any AWS Network Firewall firewall policy to drop or forward fragmented packets by default when they do not match a stateless rule	AWS::NetworkFirewall::FirewallPolicy
CT.NETWORK-FIREWALL.PR.4	Require any AWS Network Firewall rule group to contain at least one rule	AWS::NetworkFirewall::RuleGroup
CT.RDS.PR.1	Require that an Amazon RDS database instance is configured with multiple Availability Zones	AWS::RDS::DBInstance
CT.RDS.PR.2	Require an Amazon RDS database instance or cluster to have enhanced monitoring configured	AWS::RDS::DBInstance
CT.RDS.PR.3	Require an Amazon RDS cluster to have deletion protection configured	AWS::RDS::DBCluster
CT.RDS.PR.4	Require an Amazon RDS database cluster to have AWS IAM database authentication configured	AWS::RDS::DBCluster
CT.RDS.PR.5	Require an Amazon RDS database instance to have minor version upgrades configured	AWS::RDS::DBInstance
CT.RDS.PR.6	Require an Amazon RDS database cluster to have backtracking configured	AWS::RDS::DBCluster
CT.RDS.PR.7	Require Amazon RDS database instances to have AWS IAM authentication configured	AWS::RDS::DBInstance
CT.RDS.PR.8	Require an Amazon RDS database instance to have automatic backups configured	AWS::RDS::DBInstance
CT.RDS.PR.9	Require an Amazon RDS database cluster to copy tags to snapshots	AWS::RDS::DBCluster
CT.RDS.PR.10	Require an Amazon RDS database instance to copy tags to snapshots	AWS::RDS::DBInstance
CT.RDS.PR.11	Require an Amazon RDS database instance to have a VPC configuration	AWS::RDS::DBInstance
CT.RDS.PR.12	Require an Amazon RDS event subscription to have critical cluster events configured	AWS::RDS::EventSubscription
CT.RDS.PR.13	Require any Amazon RDS instance to have deletion protection configured	AWS::RDS::DBInstance
CT.RDS.PR.14	Require an Amazon RDS database instance to have logging configured	AWS::RDS::DBInstance
CT.RDS.PR.15	Require that an Amazon RDS instance does not create DB security groups	AWS::RDS::DBInstance AWS::RDS::DBSecurityGroup
CT.RDS.PR.16	Require an Amazon RDS database cluster to have encryption at rest configured	AWS::RDS::DBCluster
CT.RDS.PR.17	Require an Amazon RDS event notification subscription to have critical database instance events configured	AWS::RDS::EventSubscription
CT.RDS.PR.18	Require an Amazon RDS event notification subscription to have critical database parameter group events configured	AWS::RDS::EventSubscription
CT.RDS.PR.19	Require an Amazon RDS event notifications subscription to have critical database security group events configured	AWS::RDS::EventSubscription
CT.RDS.PR.20	Require an Amazon RDS database instance not to use a database engine default port	AWS::RDS::DBInstance
CT.RDS.PR.21	Require an Amazon RDS DB cluster to have a unique administrator username	AWS::RDS::DBCluster
CT.RDS.PR.22	Require an Amazon RDS database instance to have a unique administrator username	AWS::RDS::DBInstance
CT.RDS.PR.23	Require an Amazon RDS database instance to not be publicly accessible	AWS::RDS::DBInstance
CT.RDS.PR.24	Require an Amazon RDS database instance to have encryption at rest configured	AWS::RDS::DBInstance
CT.REDSHIFT.PR.1	Require an Amazon Redshift cluster to prohibit public access	AWS::Redshift::Cluster
CT.REDSHIFT.PR.2	Require an Amazon Redshift cluster to have automatic snapshots configured	AWS::Redshift::Cluster
CT.REDSHIFT.PR.3	Require an Amazon Redshift cluster to have audit logging configured	AWS::Redshift::Cluster
CT.REDSHIFT.PR.4	Require an Amazon Redshift cluster to have automatic upgrades to major versions configured	AWS::Redshift::Cluster
CT.REDSHIFT.PR.5	Require an Amazon Redshift cluster to have enhanced VPC routing	AWS::Redshift::Cluster
CT.REDSHIFT.PR.6	Require an Amazon Redshift cluster to have a unique administrator username	AWS::Redshift::Cluster
CT.REDSHIFT.PR.7	Require an Amazon Redshift cluster to have a unique database name	AWS::Redshift::Cluster
CT.S3.PR.1	Require an Amazon S3 bucket to have block public access settings configured	AWS::S3::Bucket
CT.S3.PR.2	Require an Amazon S3 bucket to have server access logging configured	AWS::S3::Bucket
CT.S3.PR.3	Require an Amazon S3 buckets to have versioning configured and a lifecycle policy	AWS::S3::Bucket
CT.S3.PR.4	Require an Amazon S3 bucket to have event notifications configured	AWS::S3::Bucket
CT.S3.PR.5	Require that an Amazon S3 bucket does not manage user access with an access control list (ACL)	AWS::S3::Bucket
CT.S3.PR.6	Require an Amazon S3 bucket to have lifecycle policies configured	AWS::S3::Bucket
CT.S3.PR.7	Require an Amazon S3 bucket to have server-side encryption configured	AWS::S3::Bucket
CT.S3.PR.8	Require that Amazon S3 bucket requests use Secure Sockets Layer	AWS::S3::BucketPolicy
CT.SQS.PR.1	Require any Amazon SQS queue to have a dead-letter queue configured	AWS::SQS::Queue
CT.SQS.PR.2	Require any Amazon SQS queue to have encryption at rest configured	AWS::SQS::Queue
CT.WAF-REGIONAL.PR.1	Require any AWS WAF regional rule to have a condition	AWS::WAFRegional::Rule
CT.WAF-REGIONAL.PR.2	Require any AWS WAF regional web access control list (ACL) to have a rule or rule group	AWS::WAFRegional::WebACL
CT.WAF.PR.1	Require any AWS WAF global rule to have a condition	AWS::WAF::Rule
CT.WAF.PR.2	Require any AWS WAF global web ACL to have a rule or rule group	AWS::WAF::WebACL
CT.WAFV2.PR.1	Require an AWS WAFV2 web ACL to be non-empty	AWS::WAFv2::WebACL
CT.WAFV2.PR.2	Require an AWS WAFV2 rule group to be non-empty	AWS::WAFv2::RuleGroup