/
Operational-Best-Practices-for-DevOps.yaml
300 lines (299 loc) · 9.47 KB
/
Operational-Best-Practices-for-DevOps.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
##################################################################################
#
# Conformance Pack:
# Operational Best Practices for DevOps
#
# See Parameters section for names and descriptions of required parameters.
#
##################################################################################
Parameters:
CodepipelineRegionFanoutCheckParamRegionFanoutFactor:
Default: '3'
Type: String
Resources:
ApiGwXrayEnabled:
Properties:
ConfigRuleName: api-gw-xray-enabled
Scope:
ComplianceResourceTypes:
- AWS::ApiGateway::Stage
Source:
Owner: AWS
SourceIdentifier: API_GW_XRAY_ENABLED
Type: AWS::Config::ConfigRule
BeanstalkEnhancedHealthReportingEnabled:
Properties:
ConfigRuleName: beanstalk-enhanced-health-reporting-enabled
Scope:
ComplianceResourceTypes:
- AWS::ElasticBeanstalk::Environment
Source:
Owner: AWS
SourceIdentifier: BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED
Type: AWS::Config::ConfigRule
CloudformationStackNotificationCheck:
Properties:
ConfigRuleName: cloudformation-stack-notification-check
Scope:
ComplianceResourceTypes:
- AWS::CloudFormation::Stack
Source:
Owner: AWS
SourceIdentifier: CLOUDFORMATION_STACK_NOTIFICATION_CHECK
Type: AWS::Config::ConfigRule
CodebuildProjectArtifactEncryption:
Properties:
ConfigRuleName: codebuild-project-artifact-encryption
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION
Type: AWS::Config::ConfigRule
CodebuildProjectEnvironmentPrivilegedCheck:
Properties:
ConfigRuleName: codebuild-project-environment-privileged-check
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK
Type: AWS::Config::ConfigRule
CodebuildProjectEnvvarAwscredCheck:
Properties:
ConfigRuleName: codebuild-project-envvar-awscred-check
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
Type: AWS::Config::ConfigRule
CodebuildProjectLoggingEnabled:
Properties:
ConfigRuleName: codebuild-project-logging-enabled
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
CodebuildProjectS3LogsEncrypted:
Properties:
ConfigRuleName: codebuild-project-s3-logs-encrypted
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED
Type: AWS::Config::ConfigRule
CodebuildProjectSourceRepoUrlCheck:
Properties:
ConfigRuleName: codebuild-project-source-repo-url-check
Scope:
ComplianceResourceTypes:
- AWS::CodeBuild::Project
Source:
Owner: AWS
SourceIdentifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
Type: AWS::Config::ConfigRule
CodedeployAutoRollbackMonitorEnabled:
Properties:
ConfigRuleName: codedeploy-auto-rollback-monitor-enabled
Scope:
ComplianceResourceTypes:
- AWS::CodeDeploy::DeploymentGroup
Source:
Owner: AWS
SourceIdentifier: CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED
Type: AWS::Config::ConfigRule
CodedeployEc2MinimumHealthyHostsConfigured:
Properties:
ConfigRuleName: codedeploy-ec2-minimum-healthy-hosts-configured
Scope:
ComplianceResourceTypes:
- AWS::CodeDeploy::DeploymentGroup
Source:
Owner: AWS
SourceIdentifier: CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED
Type: AWS::Config::ConfigRule
CodedeployLambdaAllatonceTrafficShiftDisabled:
Properties:
ConfigRuleName: codedeploy-lambda-allatonce-traffic-shift-disabled
Scope:
ComplianceResourceTypes:
- AWS::CodeDeploy::DeploymentGroup
Source:
Owner: AWS
SourceIdentifier: CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED
Type: AWS::Config::ConfigRule
CodepipelineDeploymentCountCheck:
Properties:
ConfigRuleName: codepipeline-deployment-count-check
Scope:
ComplianceResourceTypes:
- AWS::CodePipeline::Pipeline
Source:
Owner: AWS
SourceIdentifier: CODEPIPELINE_DEPLOYMENT_COUNT_CHECK
Type: AWS::Config::ConfigRule
CodepipelineRegionFanoutCheck:
Properties:
ConfigRuleName: codepipeline-region-fanout-check
InputParameters:
regionFanoutFactor:
Fn::If:
- codepipelineRegionFanoutCheckParamRegionFanoutFactor
- Ref: CodepipelineRegionFanoutCheckParamRegionFanoutFactor
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::CodePipeline::Pipeline
Source:
Owner: AWS
SourceIdentifier: CODEPIPELINE_REGION_FANOUT_CHECK
Type: AWS::Config::ConfigRule
EcrPrivateImageScanningEnabled:
Properties:
ConfigRuleName: ecr-private-image-scanning-enabled
Scope:
ComplianceResourceTypes:
- AWS::ECR::Repository
Source:
Owner: AWS
SourceIdentifier: ECR_PRIVATE_IMAGE_SCANNING_ENABLED
Type: AWS::Config::ConfigRule
EcrPrivateLifecyclePolicyConfigured:
Properties:
ConfigRuleName: ecr-private-lifecycle-policy-configured
Scope:
ComplianceResourceTypes:
- AWS::ECR::Repository
Source:
Owner: AWS
SourceIdentifier: ECR_PRIVATE_LIFECYCLE_POLICY_CONFIGURED
Type: AWS::Config::ConfigRule
EcrPrivateTagImmutabilityEnabled:
Properties:
ConfigRuleName: ecr-private-tag-immutability-enabled
Scope:
ComplianceResourceTypes:
- AWS::ECR::Repository
Source:
Owner: AWS
SourceIdentifier: ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED
Type: AWS::Config::ConfigRule
EcsContainerInsightsEnabled:
Properties:
ConfigRuleName: ecs-container-insights-enabled
Scope:
ComplianceResourceTypes:
- AWS::ECS::Cluster
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINER_INSIGHTS_ENABLED
Type: AWS::Config::ConfigRule
EcsContainersNonprivileged:
Properties:
ConfigRuleName: ecs-containers-nonprivileged
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINERS_NONPRIVILEGED
Type: AWS::Config::ConfigRule
EcsContainersReadonlyAccess:
Properties:
ConfigRuleName: ecs-containers-readonly-access
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_CONTAINERS_READONLY_ACCESS
Type: AWS::Config::ConfigRule
EcsFargateLatestPlatformVersion:
Properties:
ConfigRuleName: ecs-fargate-latest-platform-version
Scope:
ComplianceResourceTypes:
- AWS::ECS::Service
Source:
Owner: AWS
SourceIdentifier: ECS_FARGATE_LATEST_PLATFORM_VERSION
Type: AWS::Config::ConfigRule
EcsTaskDefinitionMemoryHardLimit:
Properties:
ConfigRuleName: ecs-task-definition-memory-hard-limit
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT
Type: AWS::Config::ConfigRule
EcsTaskDefinitionNonrootUser:
Properties:
ConfigRuleName: ecs-task-definition-nonroot-user
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_NONROOT_USER
Type: AWS::Config::ConfigRule
EcsTaskDefinitionPidModeCheck:
Properties:
ConfigRuleName: ecs-task-definition-pid-mode-check
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_PID_MODE_CHECK
Type: AWS::Config::ConfigRule
EcsTaskDefinitionUserForHostModeCheck:
Properties:
ConfigRuleName: ecs-task-definition-user-for-host-mode-check
Scope:
ComplianceResourceTypes:
- AWS::ECS::TaskDefinition
Source:
Owner: AWS
SourceIdentifier: ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK
Type: AWS::Config::ConfigRule
EksEndpointNoPublicAccess:
Properties:
ConfigRuleName: eks-endpoint-no-public-access
Source:
Owner: AWS
SourceIdentifier: EKS_ENDPOINT_NO_PUBLIC_ACCESS
Type: AWS::Config::ConfigRule
EksSecretsEncrypted:
Properties:
ConfigRuleName: eks-secrets-encrypted
Source:
Owner: AWS
SourceIdentifier: EKS_SECRETS_ENCRYPTED
Type: AWS::Config::ConfigRule
ElasticBeanstalkManagedUpdatesEnabled:
Properties:
ConfigRuleName: elastic-beanstalk-managed-updates-enabled
Scope:
ComplianceResourceTypes:
- AWS::ElasticBeanstalk::Environment
Source:
Owner: AWS
SourceIdentifier: ELASTIC_BEANSTALK_MANAGED_UPDATES_ENABLED
Type: AWS::Config::ConfigRule
Conditions:
codepipelineRegionFanoutCheckParamRegionFanoutFactor:
Fn::Not:
- Fn::Equals:
- ''
- Ref: CodepipelineRegionFanoutCheckParamRegionFanoutFactor