Possible Compliance Checks for policr

[JonasSaegesser]

Just a brainstorming of possible compliance checks for AWS deployments:

- Terraform specific: Credentials not in template
	- Use EC2 Roles, env vars, credentials file etc
- General
	- Every Resource has to have Tags defined in a Tagging Concept
	- A small number of services can't be tagged (i.e. Device Farm)
	- Region Enforcment
- DHCP Option Set
	- Enforce central dns server
- S3 Buckets encrypted
	- Deny incorrect encryption headers (enforce KMS)
	- Deny incorrect object uploads (enforce encryption)
- S3 Buckets private
	- acl private
- EBS Encrypted  true + KMS Key
- Security Group Rules
	- No Allow Any Any Inbound
	- Source: 0.0.0.0/0 or ::/0
	- and
	- Protocoll: All or Portrange: All
- IAM Policies
	- No * Trust policies
- RDS
	- KMS Encrypted
- Kinesis Streams
	- KMS Encrypted
- R53
	- External Zones have to be *.foo.bar.ch
	- Internal Zones have to be *.abc.xyz.ch
- EMR
	- only allow emr deployments with encryption enabled
	- http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-enable-security-configuration.html

I will create terraform snippets for those cases when I have the time.