Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
lhitchon
committed
Apr 10, 2018
1 parent
d178241
commit 732f87c
Showing
6 changed files
with
208 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
resource "aws_kms_key" "key_for_s3_encryption" { | ||
description = "key for S3 bucket encryption" | ||
} | ||
|
||
resource "aws_s3_bucket" "bucket_example_1" { | ||
acl = "public-read" | ||
tags = { | ||
project = "web" | ||
classification = "PII" | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket" "bucket_example_2" { | ||
acl = "public-read-write" | ||
server_side_encryption_configuration { | ||
rule { | ||
apply_server_side_encryption_by_default { | ||
kms_master_key_id = "${aws_kms_key.key_for_s3_encryption.arn}" | ||
sse_algorithm = "aws:kms" | ||
} | ||
} | ||
} | ||
tags = { | ||
project = "web" | ||
classification = "HIPAA" | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket" "bucket_example_3" { | ||
tags = { | ||
classification = "public" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
--- | ||
version: 1 | ||
description: Terraform rules for demo | ||
type: Terraform | ||
files: | ||
- "*.tf" | ||
rules: | ||
|
||
- id: NO_IAM_ROLES | ||
message: Creating an IAM role is not allowed | ||
resource: "aws_iam_role" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_ROLE_POLICIES | ||
message: Creating an IAM role policy is not allowed | ||
resource: "aws_iam_role_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_GROUPS | ||
message: Creating an IAM group is not allowed | ||
resource: "aws_iam_group" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_GROUP_POLICIES | ||
message: Creating an IAM group policy is not allowed | ||
resource: "aws_iam_group_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_POLICIES | ||
message: Creating an IAM policy is not allowed | ||
resource: "aws_iam_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_USERS | ||
message: Creating an IAM user is not allowed | ||
resource: "aws_iam_user" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_USER_POLICIES | ||
message: Creating an IAM user policy is not allowed | ||
resource: "aws_iam_user_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_INSTANCE_PROFILE | ||
message: Creating an IAM instance profile is not allowed | ||
resource: "aws_iam_instance_profile" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
--- | ||
version: 1 | ||
description: Terraform rules for creation of IAM resources | ||
type: Terraform | ||
files: | ||
- "*.tf" | ||
rules: | ||
|
||
- id: NO_IAM_ROLES | ||
message: Creating an IAM role is not allowed | ||
resource: "aws_iam_role" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_ROLE_POLICIES | ||
message: Creating an IAM role policy is not allowed | ||
resource: "aws_iam_role_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_GROUPS | ||
message: Creating an IAM group is not allowed | ||
resource: "aws_iam_group" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_GROUP_POLICIES | ||
message: Creating an IAM group policy is not allowed | ||
resource: "aws_iam_group_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_POLICIES | ||
message: Creating an IAM policy is not allowed | ||
resource: "aws_iam_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_USERS | ||
message: Creating an IAM user is not allowed | ||
resource: "aws_iam_user" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
- id: NO_IAM_USER_POLICIES | ||
message: Creating an IAM user policy is not allowed | ||
resource: "aws_iam_user_policy" | ||
severity: FAILURE | ||
assertions: | ||
- key: "@" | ||
op: absent | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
version: 1 | ||
description: Rules for Terraform configuration files | ||
type: Terraform | ||
files: | ||
- "*.tf" | ||
rules: | ||
|
||
- id: S3_BUCKET_ENCRYPTION | ||
message: S3 Bucket should be encrypted | ||
resource: aws_s3_bucket | ||
severity: FAILURE | ||
conditions: | ||
- key: "tags[].classification[] | [0]" | ||
op: in | ||
value: PII,HIPAA | ||
assertions: | ||
- key: server_side_encryption_configuration | ||
op: present | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters