-
Notifications
You must be signed in to change notification settings - Fork 0
AWS Controls
Require Amazon ECS Fargate Services to run on the latest Fargate platform version
Set platform_version to LATEST
Control Tower CT.ECS.PR.1, FSBP ECS.10
Require any Amazon ECS cluster to have container insights activated
Add
setting {
name = "containerInsights"
value = "enabled"
}Control Tower CT.ECS.PR.2, FSBP ECS.12
Require any Amazon ECS task definition to specify a user that is not the root
Set user to a non-root user for all containers in container_definitions.
Require Amazon ECS tasks to use 'awsvpc' networking mode
Set network_mode = "awsvpc"
Require an active Amazon ECS task definition to have a logging configuration
Set logConfiguration for each container in container_definitions.
Control Tower CT.ECS.PR.5, FSBP ECS.9
Require Amazon ECS containers to allow read-only access to the root filesystem
Set readonlyRootFilesystem = "true" for each container in container_definitions.
Control Tower CT.ECS.PR.6, FSBP ECS.5
Require an Amazon ECS task definition to have a specific memory usage limit
Set memory for each container in container_definitions.
Require Amazon ECS task definitions to have secure networking modes and user definitions. This rule applies to tasks that use network_mode = "host".
Set privileged = false and user to a non-root user for each container in container_definitions.
Control Tower CT.ECS.PR.8, FSBP ECS.1
Require Amazon ECS services not to assign public IP addresses automatically
Set assign_public_ip = false.
Control Tower CT.ECS.PR.9, FSBP ECS.2
Require that Amazon ECS task definitions do not share the host's process namespace
Set pid_mode to something other than host.
Control Tower CT.ECS.PR.10, FSBP ECS.3
Require an Amazon ECS container to run as non-privileged
Set privileged = false for each container in container_definitions.
Control Tower CT.ECS.PR.11, FSBP ECS.4
Require that Amazon ECS task definitions do not pass secrets as container environment variables. This rule checks for environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and ECS_ENGINE_AUTH_DATA.
Remove the offending environment variables. Prefer using IAM roles if possible. If you must use access keys, store them in SSM or Secrets Manager and use the secrets container definition parameter to populate the environment with them.
Control Tower CT.ECS.PR.12, FSBP ECS.8
Passing secrets safely to an ECS container
Require that ECS task sets do not automatically assign public IP addresses
Set assign_public_ip = false.
Require that an AWS Identity and Access Management (IAM) inline policy does not have a statement that includes "*" in the Action and Resource elements
Remove all IAM policy statements that allow Action: "*" with Resource: "*". These should be made more specific.
Require that AWS Identity and Access Management (IAM) customer-managed policies do not have wildcard service actions
Remove any IAM policy statements with Effect: "Allow" and Action: "service:*" or NotAction.
Control Tower CT.IAM.PR.3 Control Tower CT.IAM.PR.5
Require that an AWS Identity and Access Management(IAM) user does not have an inline or managed policy attached
Remove any policy attachments to users and inherit permissions from IAM groups or roles instead.
Require AWS Lambda function policies to prohibit public access.
If your action is lambda:InvokeFunction, restrict access to the Lambda through either setting Principal to a specific IAM identity or AWS account instead of a service or wildcard principal or through setting source_account, source_arn, or principal_org_id.
If your Lambda is a function URL, set function_url_auth_type = "AWS_IAM".
Require an AWS Lambda function to be in a customer-managed Amazon Virtual Private Cloud (VPC)
Configure vpc_config, providing lists of subnet_ids and security_group_ids.
Require an AWS Lambda layer permission to grant access to an AWS organization or specific AWS account
Restrict access to the Lambda layer by either setting principal to a different value than * or by setting organization_id.
Require an AWS Lambda function URL to use AWS IAM-based authentication
Set authorization_type = "AWS_IAM"
Control Tower CT.LAMBDA.PR.5
AWS documentation for AWS_IAM authorization type
Require an AWS Lambda function URL CORS policy to restrict access to specific origins
Ensure that cors.allow_origins has been specified and that none of the origins are wildcard origins (*, http://*, https://*).
Require that an Amazon RDS database instance is configured with multiple Availability Zones
Set multi_az = true
Require an Amazon RDS database instance or cluster to have enhanced monitoring configured
Enable enhanced monitoring by setting monitoring_interval to a supported interval higher than 0 and monitoring_role_arn to an IAM role ARN that is configured for monitoring.
Require an Amazon RDS cluster to have deletion protection configured
Set deletion_protection = true
Require an Amazon RDS database cluster to have AWS IAM database authentication configured
Set iam_database_authentication_enabled = true and refactor your application to connect using IAM instead of static credentials.
IAM database authentication documentation
Require an Amazon RDS database instance to have minor version upgrades configured
Set auto_minor_version_upgrade = true.
Require an Amazon RDS database cluster to have backtracking configured
Set backtrack_window to a positive number of seconds.
Require Amazon RDS database instances to have IAM authentication configured
Set iam_database_authentication_enabled = true and refactor your application to connect using IAM instead of static credentials.
IAM database authentication documentation
Require an Amazon RDS database instance to have automatic backups configured
Set backup_retention_period to at least 7 days.
Require an Amazon RDS database cluster to copy tags to snapshots
Set copy_tags_to_snapshot = true.
Require an Amazon RDS database instance to copy tags to snapshots
Set copy_tags_to_snapshot = true.
Require an Amazon RDS database instance to have a VPC configuration
Set db_subnet_group_name to the database VPC subnet group you want to place your instance in.
Require an Amazon RDS event subscription to have critical cluster events configured
Set enabled = true and include maintenance and failure in your selected event categories.
Require any Amazon RDS instance to have deletion protection configured
Set deletion_protection = true.
Require an Amazon RDS database instance to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property
Set enabled_cloudwatch_logs_exports to a set containing all log types for your database engine.
- MySQL / MariaDB:
enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"] - PostgreSQL:
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] - SQL Server:
enabled_cloudwatch_logs_exports = ["agent", "error"] - Oracle:
enabled_cloudwatch_logs_exports = ["alert", "audit", "listener", "oemagent", "trace"]
Require an Amazon RDS database cluster to have encryption at rest configured
Set storage_encrypted = true.
Require an Amazon RDS event notification subscription to have critical database instance events configured.
Set enabled = true and add "maintenance", "failure", and "configuration change" to event_categories.
Require an Amazon RDS event notification subscription to have critical database parameter group events configured
Set enabled = true and add "configuration change" to event_categories.
Require an Amazon RDS event notification subscription to have critical database parameter group events configured
Set enabled = true and add "configuration change" and "failure" to event_categories.
Require an Amazon RDS database instance not to use a database engine default port
Set port to a non-default port number.
Require an Amazon RDS DB cluster to have a unique administrator username
Set master_username to a different value than admin or postgres.
Require an Amazon RDS DB instance to have a unique administrator username
Set username to a different value than admin or postgres.
Require an Amazon RDS database instance to not be publicly accessible
Set publicly_accessible = false.
Require an Amazon RDS database instance to have encryption at rest configured
Set storage_encrypted = true.
Require an Amazon RDS database cluster to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property
Set enabled_cloudwatch_logs_exports to a set containing all log types for your database engine.
- MySQL / Aurora MySQL:
enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"] - PostgreSQL:
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] - Aurora PostgreSQL:
enabled_cloudwatch_logs_exports = ["postgresql"]
Require an Amazon Relational Database Service DB Proxy to require Transport Layer Security (TLS) connections
Set require_tls = true
Require an Amazon Relational Database Service DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types
For Aurora MySQL or MySQL, add
parameter {
name = "require_secure_transport"
value = true
}For Aurora PostgreSQL or PostgreSQL, add
parameter {
name = "rds.force_ssl"
value = true
}Require an Amazon Relational Database Service DB parameter group to require Transport Layer Security (TLS) connections for supported engine types
For MySQL or MariaDB, add
parameter {
name = "require_secure_transport"
value = true
}For PostgreSQL or SQL Server, add
parameter {
name = "rds.force_ssl"
value = true
}Require that an Amazon RDS database instance has encryption at rest configured to use a KMS key that you specify for supported engine types
Set kms_key_id to the ARN or alias of an AWS KMS key that is configured to allow RDS usage.