Policies
This section describes the policies you can use to have Code Pipes evaluate your Terraform for potential security misconfigurations and compliance violations prior to deployment.
When you use Terraform infrastructure-as-code, you can have Code Pipes evaluate your Terraform for potential security misconfigurations and compliance violations prior to deployment.
Alternatively, you can choose not to have Code Pipes evaluate your Terraform. This lets you deploy anything you want via Terraform.
-
To validate your Terraform, choose the Ollion Best Practice policy, whose rules are listed below.
-
To skip validation, choose the Unrestricted policy.
Ollion Best Practice rules
| Provider | Service | Rule Name | Rule Summary |
|---|---|---|---|
| AWS | CloudTrail | cloudtrail_log_file_validation | CloudTrail log file validation should be enabled |
| AWS | EBS | ebs_volume_encrypted | EBS volume encryption should be enabled |
| AWS | IAM | iam_admin_policy | IAM policies should not have full ":" administrative privileges |
| AWS | IAM | iam_user_attached_policy | IAM policies should not be attached directly to users |
| AWS | KMS | kms_rotate | KMS CMK rotation should be enabled |
| AWS | VPC | security_group_ingress_anywhere | VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443 |
| AWS | VPC | security_group_ingress_anywhere_rdp | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) |
| AWS | VPC | security_group_ingress_anywhere_ssh | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) |
| AWS | VPC | vpc_flow_log | VPC flow logging should be enabled |
| GCP | KMS | kms_cryptokey_rotate | KMS crypto keys should be rotated at least once every 365 days |
| GCP | Compute | compute_firewall_no_ingress_22 | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) |
| GCP | Compute | compute_firewall_no_ingress_3389 | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP) |
| GCP | Compute | compute_subnet_private_google_access | VPC subnet 'Private Google Access' should be enabled |
| GCP | Compute | compute_subnet_flow_log_enabled | VPC subnet flow logging should be enabled |
| Azure | Storage Account | storage_account_deny_access | Storage accounts should deny access from all networks by default |
| Azure | Storage Account | storage_account_microsoft_services | Storage accounts 'Trusted Microsoft Services' access should be enabled |
| Azure | Storage Accont | storage_account_secure_transfer | Storage accounts 'Secure transfer required' should be enabled |
| Azure | Blob Storage | storage_container_private_access | Storage containers should have access set to 'private' |
| Azure | Virtual Network | network_security_group_no_inbound_22 | Network security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) |
| network_security_rule_no_inbound_22 | |||
| Azure | Virtual Network | network_security_group_no_inbound_3389 | Network security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP) |
| network_security_rule_no_inbound_3389 | |||
| Azure | SQL Server | sql_server_firewall_no_inbound_all | SQL Server firewall rules should not permit ingress from 0.0.0.0/0 to all ports and protocols |
Updated 9 months ago