/
disallow_public_access.sp
69 lines (60 loc) · 3.1 KB
/
disallow_public_access.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
locals {
audit_manager_control_tower_disallow_public_access_common_tags = merge(local.audit_manager_control_tower_common_tags, {
control_set = "disallow_public_access"
})
}
benchmark "audit_manager_control_tower_disallow_public_access" {
title = "Disallow Public Access"
description = "This benchmark checks if RDS instances, snapshots and S3 buckets are not publicly accessible."
children = [
benchmark.audit_manager_control_tower_disallow_public_access_4_0_1,
benchmark.audit_manager_control_tower_disallow_public_access_4_0_2,
benchmark.audit_manager_control_tower_disallow_public_access_4_1_1,
benchmark.audit_manager_control_tower_disallow_public_access_4_1_2
]
tags = local.audit_manager_control_tower_disallow_public_access_common_tags
}
benchmark "audit_manager_control_tower_disallow_public_access_4_0_1" {
title = "4.0.1 - Disallow public access to RDS database instances"
description = "Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item."
children = [
control.rds_db_instance_prohibit_public_access
]
tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, {
audit_manager_control_tower_item_id = "4.0.1"
service = "AWS/RDS"
})
}
benchmark "audit_manager_control_tower_disallow_public_access_4_0_2" {
title = "4.0.2 - Disallow public access to RDS database snapshots"
description = "Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public."
children = [
control.rds_db_snapshot_prohibit_public_access
]
tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, {
audit_manager_control_tower_item_id = "4.0.2"
service = "AWS/RDS"
})
}
benchmark "audit_manager_control_tower_disallow_public_access_4_1_1" {
title = "4.1.1 - Disallow public read access to S3 buckets"
description = "Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access."
children = [
control.s3_bucket_restrict_public_read_access
]
tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, {
audit_manager_control_tower_item_id = "4.1.1"
service = "AWS/S3"
})
}
benchmark "audit_manager_control_tower_disallow_public_access_4_1_2" {
title = "4.1.2 - Disallow public write access to S3 buckets"
description = "Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access."
children = [
control.s3_bucket_restrict_public_write_access
]
tags = merge(local.audit_manager_control_tower_disallow_public_access_common_tags, {
audit_manager_control_tower_item_id = "4.1.2"
service = "AWS/S3"
})
}