org.openrewrite.terraform.aws.AWSBestPractices
Securely operate on Amazon Web Services.
- terraform
- AWS
GitHub, Issue Tracker, Maven Central
- groupId: org.openrewrite.recipe
- artifactId: rewrite-terraform
- version: 2.0.1
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-terraform:2.0.1
in your build file or by running a shell command (in which case no build changes are needed):
{% tabs %}
{% tab title="Gradle" %}
{% code title="build.gradle" %}
plugins {
id("org.openrewrite.rewrite") version("6.1.4")
}
rewrite {
activeRecipe("org.openrewrite.terraform.aws.AWSBestPractices")
}
repositories {
mavenCentral()
}
dependencies {
rewrite("org.openrewrite.recipe:rewrite-terraform:2.0.1")
}
{% endcode %} {% endtab %} {% tab title="Maven POM" %} {% code title="pom.xml" %}
<project>
<build>
<plugins>
<plugin>
<groupId>org.openrewrite.maven</groupId>
<artifactId>rewrite-maven-plugin</artifactId>
<version>5.2.4</version>
<configuration>
<activeRecipes>
<recipe>org.openrewrite.terraform.aws.AWSBestPractices</recipe>
</activeRecipes>
</configuration>
<dependencies>
<dependency>
<groupId>org.openrewrite.recipe</groupId>
<artifactId>rewrite-terraform</artifactId>
<version>2.0.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
</project>
{% endcode %} {% endtab %}
{% tab title="Maven Command Line" %} {% code title="shell" %} You will need to have Maven installed on your machine before you can run the following command.
mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
-Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-terraform:RELEASE \
-Drewrite.activeRecipes=org.openrewrite.terraform.aws.AWSBestPractices
{% endcode %} {% endtab %} {% endtabs %}
{% tabs %} {% tab title="Recipe List" %}
- Encrypt EBS volumes
- Encrypt EBS snapshots
- Ensure AWS Elasticsearch domain encryption for data at rest is enabled
- Ensure AWS Elasticsearch has node-to-node encryption enabled
- Ensure AWS CMK rotation is enabled
- Encrypt EBS volume launch configurations
- Ensure IAM password policy expires passwords within 90 days or less
- Ensure AWS IAM password policy has a minimum of 14 characters
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy prevents password reuse
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- Encrypt RDS clusters
- Ensure AWS RDS database instance is not publicly accessible
- Ensure data stored in an S3 bucket is securely encrypted at rest
- Ensure AWS S3 object versioning is enabled
- Enable point-in-time recovery for DynamoDB
- Encrypt ElastiCache Redis at rest
- Encrypt ElastiCache Redis in transit
- Scan images pushed to ECR
- Use HTTPS for Cloudfront distribution
- Ensure CloudTrail log file validation is enabled
- Ensure Amazon EKS control plane logging enabled for all log types
- Ensure AWS EKS cluster endpoint access is publicly disabled
- Ensure AWS EFS with encryption for data at rest is enabled
- Ensure Kinesis Stream is securely encrypted
- Encrypt Neptune storage
- Encrypt DAX storage at rest
- Ensure AWS Lambda functions have tracing enabled
- Make ECR tags immutable
- Encrypt Redshift storage at rest
- Encrypt DocumentDB storage
- Disable Instance Metadata Service version 1
- Ensure AWS Elasticsearch domains have
EnforceHTTPS
enabled - Encrypt Aurora clusters
- Encrypt EFS Volumes in ECS Task Definitions in transit
- Ensure AWS Lambda function is configured for function-level concurrent execution limit
- Ensure enhanced monitoring for Amazon RDS instances is enabled
- Enable API gateway caching
- Ensure detailed monitoring for EC2 instances is enabled
- Ensure respective logs of Amazon RDS are enabled
- Ensure VPC subnets do not assign public IP by default
- Ensure EC2 is EBS optimized
- Ensure ECR repositories are encrypted
- Encrypt CodeBuild projects
- Ensure RDS instances have Multi-AZ enabled
- Ensure RDS database has IAM authentication enabled
{% endtab %}
{% tab title="Yaml Recipe List" %}
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.terraform.aws.AWSBestPractices
displayName: Best practices for AWS
description: Securely operate on Amazon Web Services.
tags:
- terraform
- AWS
recipeList:
- org.openrewrite.terraform.aws.EncryptEBSVolumes
- org.openrewrite.terraform.aws.EncryptEBSSnapshots
- org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainEncryptionForDataAtRestIsEnabled
- org.openrewrite.terraform.aws.EnsureAWSElasticsearchHasNodeToNodeEncryptionEnabled
- org.openrewrite.terraform.aws.EnsureAWSCMKRotationIsEnabled
- org.openrewrite.terraform.aws.EncryptEBSVolumeLaunchConfiguration
- org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyExpiresPasswordsWithin90DaysOrLess
- org.openrewrite.terraform.aws.EnsureAWSIAMPasswordPolicyHasAMinimumOf14Characters
- org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneLowercaseLetter
- org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneNumber
- org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyPreventsPasswordReuse
- org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneSymbol
- org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneUppercaseLetter
- org.openrewrite.terraform.aws.EncryptRDSClusters
- org.openrewrite.terraform.aws.EnsureAWSRDSDatabaseInstanceIsNotPubliclyAccessible
- org.openrewrite.terraform.aws.EnsureDataStoredInAnS3BucketIsSecurelyEncryptedAtRest
- org.openrewrite.terraform.aws.EnsureAWSS3ObjectVersioningIsEnabled
- org.openrewrite.terraform.aws.EnableDynamoDbPITR
- org.openrewrite.terraform.aws.EncryptElastiCacheRedisAtRest
- org.openrewrite.terraform.aws.EncryptElastiCacheRedisInTransit
- org.openrewrite.terraform.aws.EnableECRScanOnPush
- org.openrewrite.terraform.aws.UseHttpsForCloudfrontDistribution
- org.openrewrite.terraform.aws.EnsureCloudTrailLogFileValidationIsEnabled
- org.openrewrite.terraform.aws.EnsureAmazonEKSControlPlaneLoggingEnabledForAllLogTypes
- org.openrewrite.terraform.aws.EnsureAWSEKSClusterEndpointAccessIsPubliclyDisabled
- org.openrewrite.terraform.aws.EnsureAWSEFSWithEncryptionForDataAtRestIsEnabled
- org.openrewrite.terraform.aws.EnsureKinesisStreamIsSecurelyEncrypted
- org.openrewrite.terraform.aws.EncryptNeptuneStorage
- org.openrewrite.terraform.aws.EncryptDAXStorage
- org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionsHaveTracingEnabled
- org.openrewrite.terraform.aws.ImmutableECRTags
- org.openrewrite.terraform.aws.EncryptRedshift
- org.openrewrite.terraform.aws.EncryptDocumentDB
- org.openrewrite.terraform.aws.DisableInstanceMetadataServiceV1
- org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainsHaveEnforceHTTPSEnabled
- org.openrewrite.terraform.aws.EncryptAuroraClusters
- org.openrewrite.terraform.aws.EncryptEFSVolumesInECSTaskDefinitionsInTransit
- org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionIsConfiguredForFunctionLevelConcurrentExecutionLimit
- org.openrewrite.terraform.aws.EnsureEnhancedMonitoringForAmazonRDSInstancesIsEnabled
- org.openrewrite.terraform.aws.EnableApiGatewayCaching
- org.openrewrite.terraform.aws.EnsureDetailedMonitoringForEC2InstancesIsEnabled
- org.openrewrite.terraform.aws.EnsureRespectiveLogsOfAmazonRDSAreEnabled
- org.openrewrite.terraform.aws.EnsureVPCSubnetsDoNotAssignPublicIPByDefault
- org.openrewrite.terraform.aws.EnsureEC2IsEBSOptimized
- org.openrewrite.terraform.aws.EnsureECRRepositoriesAreEncrypted
- org.openrewrite.terraform.aws.EncryptCodeBuild
- org.openrewrite.terraform.aws.EnsureRDSInstancesHaveMultiAZEnabled
- org.openrewrite.terraform.aws.EnsureRDSDatabaseHasIAMAuthenticationEnabled
{% endtab %} {% endtabs %}
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.