You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just a brainstorming of possible compliance checks for AWS deployments:
- Terraform specific: Credentials not in template
- Use EC2 Roles, env vars, credentials file etc
- General
- Every Resource has to have Tags defined in a Tagging Concept
- A small number of services can't be tagged (i.e. Device Farm)
- Region Enforcment
- DHCP Option Set
- Enforce central dns server
- S3 Buckets encrypted
- Deny incorrect encryption headers (enforce KMS)
- Deny incorrect object uploads (enforce encryption)
- S3 Buckets private
- acl private
- EBS Encrypted true + KMS Key
- Security Group Rules
- No Allow Any Any Inbound
- Source: 0.0.0.0/0 or ::/0
- and
- Protocoll: All or Portrange: All
- IAM Policies
- No * Trust policies
- RDS
- KMS Encrypted
- Kinesis Streams
- KMS Encrypted
- R53
- External Zones have to be *.foo.bar.ch
- Internal Zones have to be *.abc.xyz.ch
- EMR
- only allow emr deployments with encryption enabled
- http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-enable-security-configuration.html
I will create terraform snippets for those cases when I have the time.
The text was updated successfully, but these errors were encountered:
Just a brainstorming of possible compliance checks for AWS deployments:
I will create terraform snippets for those cases when I have the time.
The text was updated successfully, but these errors were encountered: