Pre-written Sentinel policies are ready to use compliance checks for FSBP AWS Foundations Benchmarking to help enable your AWS resources meet industry security standards.
At HashiCorp, we’re committed to making policy management easier for our customers. We understand that developing policies from scratch can be time-consuming and resource-intensive. To address this, we’re introducing our Prewritten Policy Libraries—expertly crafted, ready-to-use policies designed to streamline your compliance processes and enhance security across your infrastructure.
This repository contains several policies designed to accelerate the adoption of the FSBP AWS Foundations Benchmark within HCP Terraform. These policies can be utilized to enforce best practices and security standards across your AWS environment.
For more details on how to work with these policies and to understand the Sentinel language and framework, please refer to the Sentinel documentation or the README documentation included with each of the policy libraries.
We aim to validate the effectiveness of our policies by collecting diverse user feedback and understanding real-world use cases. This input will help refine our policies and enhance their overall impact.
-
You can submit your feedback via a public survey.
-
If you have any issues or enhancement suggestions to the library, please create a new GitHub issue.
-
Alternatively, we welcome any contributions that improve the impact of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.
This getting started guide assumes that:
-
You are familiar with core workflows in HCP Terraform and Terraform Enterprise, and you have an existing workspace configured with AWS access credentials.
Tip: If you do not have these prerequisites, please refer to the Use VCS-Driven Workflow and Create a Variable Set tutorials for guidance.
-
You have a user account that is part of the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.
-
Ensure you are using HCP Terraform or Terraform Enterprise v202312-1 or a later version.
-
You are using Sentinel version 0.26.x and later version.
By default, the module will enable all policies within the library, and they will be enforced by the HCP Platform with the enforcement_level set to advisory only.
Example:
policy "iam-password-expiry" {
source = "./policies/iam/iam-password-expiry.sentinel"
enforcement_level = "advisory"
params = {
password_expiry_days = 90
}
}
If you want to enable only a subset of the policies or change the enforcement levels to either soft-mandatory or hard-mandatory, we recommend updating the contents of the sentinel.hcl file in each library before applying the Terraform configuration.
Important: The policies in each library are opinionated and depend on several Sentinel modules. To learn more about modules, please refer to the Sentinel module documentation.
To learn more about how to configure a policy set as a policy evaluation, please review the Terraform Enterprise provider documentation.
Following methods outlines various ways to consume and implement pre-written Sentinel policies for the FSBP AWS Foundations Benchmark. These policies can be used in both Terraform Enterprise (TFE) and HCP Terraform environments. Below are the recommended methods for integrating these policies into your workflows.
- Navigate to the Terraform Registry and select the desired Sentinel policy.
- Copy the provided policy snippet from the registry.
- Create a GitHub repository (or use an existing one) to store your policies.
- Add a Sentinel.hcl file to the repository and paste the copied policy snippet(s) into this file.
- Connect the repository to HCP Terraform or Terraform Enterprise using the VCS (Version Control System) workflow.
- Trigger policy execution automatically during the plan stage in HCP Terraform or Terraform Enterprise.
- Access the public GitHub repository containing the policy library.
- You can directly use the repository as-is or fork it to customize the policies for your specific requirements.
- If forking, ensure you sync your fork with the upstream repository periodically to stay updated with the latest changes.
- Avoid using the default branch for consumption in HCP Terraform or Terraform Enterprise. Instead, use the release branches for better stability.
- Attach the repository (or your fork) to HCP Terraform or Terraform Enterprise using the VCS workflow.
- Run a Terraform plan to execute the policies during the post-plan stage.
- Use a dedicated Terraform module designed to manage Sentinel policy sets.
- Provide a minimal set of variable inputs (typically four) to configure and attach the policies.
- The module will automatically attach the latest versions of multiple policy sets to their respective workspaces.
- Execute a Terraform plan to verify that the policy sets are applied successfully in HCP Terraform or Terraform Enterprise.
- These policies are compatible with both HCP Terraform and Terraform Enterprise (TFE). Ensure your workflow is configured accordingly.
- When using the public GitHub repository, it is recommended to use release branches for stability and avoid consuming policies directly from the default branch.
- Regularly update your policies to align with the latest FSBP AWS Foundations Benchmark standards and Terraform best practices.
- Customize policies as needed to meet your organization's specific compliance and security requirements.
- Get Started - HCP Terraform
- Connecting VCS Providers to HCP Terraform
- Policy Enforcement
- Managing Policy Sets
- Introduction to Sentinel
- Sentinel Documentation
- Sentinel Language
- Sentinel Language Specification
- Policy Libraries
-
AWS Private CA root certificate authority should be disabled (docs | code)
-
RSA certificates managed by ACM should use a key length of at least 2,048 bits (docs | code)
-
Access logging should be configured for API Gateway V2 Stages (docs | code)
-
API Gateway REST and WebSocket API execution logging should be enabled (docs | code)
-
API Gateway REST API cache data should be encrypted at rest (docs | code)
-
API Gateway REST API stages should be configured to use SSL certificates for backend authentication (docs | code)
-
API Gateway REST API stages should have AWS X-Ray tracing enabled (docs | code)
-
API Gateway routes should specify an authorization type (docs | code)
-
API Gateway should be associated with a WAF Web ACL (docs | code)
-
Amazon EC2 Auto Scaling group should cover multiple Availability Zones (docs | code)
-
Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates (docs | code)
-
Auto Scaling groups should use multiple instance types in multiple Availability Zones (docs | code)
-
Auto Scaling groups associated with a load balancer should use ELB health checks (docs | code)
-
Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses (docs | code)
-
AWS Backup Framework Recovery Point should be encrypted at rest (docs | code)
-
CloudFront distributions should have WAF enabled (docs | code)
-
CloudFront distributions should encrypt traffic to custom origins (docs | code)
-
CloudFront distributions should have logging enabled (docs | code)
-
CloudFront distributions should have origin failover configured (docs | code)
-
CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins (docs | code)
-
CloudFront distributions should use custom SSL/TLS certificates (docs | code)
-
CloudFront distributions should use SNI to serve HTTPS requests (docs | code)
-
CloudFront distributions should use origin access control (docs | code)
-
CloudFront distributions should not point to non-existent S3 origins (docs | code)
-
CloudFront distributions should have a default root object configured (docs | code)
-
CloudFront distributions should require encryption in transit (docs | code)
-
CodeBuild Bitbucket source repository URLs should not contain sensitive credentials (docs | code)
-
CodeBuild project environments should have a logging AWS Configuration (docs | code)
-
AWS DMS Replication Instances should have the auto_minor_version_upgrade attribute set to true (docs | code)
-
AWS DMS Endpoint resource should have the certificate for ssl configured (docs | code)
-
AWS DMS Endpoint resource should have the 'auth_mechanism' attribute not 'default' in 'mongodb_settings' for engine of type mongodb (docs | code)
-
AWS DMS Endpoint resource should have the 'ssl_security_protocol' attribute is 'ssl-encryption' in 'redis_settings' for engine of type redis (docs | code)
-
AWS DMS Replication Instances should have the publicly_accessible attribute set to false (docs | code)
-
AWS DMS Replication Task should have Logging enabled for the attribute 'replication_task_settings' for source db (docs | code)
-
AWS DMS Replication Task should have Logging enabled for the attribute 'replication_task_settings' for target db (docs | code)
-
AWS DocumentDB clusters should have enabled_cloudwatch_logs_exports attribute set to 'audit' (docs | code)
-
AWS DocumentDB clusters should have backup_retention_period set between '7 to 35' (docs | code)
-
AWS DocumentDB clusters should have deletion protection enabled (docs | code)
-
AWS DocumentDB clusters should be encrypted at rest (docs | code)
-
Amazon Dynamo DB accelerator clusters should have encryption at rest enabled (docs | code)
-
Amazon Dynamo DB tables should have delete protection enabled (docs | code)
-
Amazon Dynamo DB tables should have point in time recovery enabled (docs | code)
-
Amazon Dynamo DB tables should scale its read and write capacity as needed (docs | code)
-
Attached Amazon EBS volumes should be encrypted at-rest (docs | code)
-
AWS EC2 Client VPN endpoints should have client connection logging enabled (docs | code)
-
Amazon EBS snapshots should not be publicly restorable (docs | code)
-
Amazon EC2 instances should not have a public IPv4 address (docs | code)
-
Amazon EC2 instances should not use multiple ENIs (docs | code)
-
Amazon EC2 paravirtual instance types should not be used (docs | code)
-
EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) (docs | code)
-
Amazon EC2 launch templates should not assign public IPs to network interfaces (docs | code)
-
EC2 - Ensure Metadata Service only allows IMDSv2 (docs | code)
-
EC2 - Network Acls should not allow ingress traffic from 0.0.0.0/0 or ::/0 to ports 22 or 3389 (docs | code)
-
Unused Network Access Control Lists should be removed (docs | code)
-
AWS Security Group should not allow ingress traffic from 0.0.0.0/0 or ::/0 to common ports (docs | code)
-
Security groups should only allow unrestricted incoming traffic for authorized ports (docs | code)
-
Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service (docs | code)
-
Amazon EC2 subnets should not automatically assign public IP addresses (docs | code)
-
Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests (docs | code)
-
AWS Site-to-Site VPN Connection should have AWS CLoudwatch Logs enabled (docs | code)
-
ECR private repositories should have image scanning configured (docs | code)
-
ECR repositories should have at least one lifecycle policy configured (docs | code)
-
ECR private repositories should have tag immutability configured (docs | code)
-
ECS Fargate services should run on the latest Fargate platform version (docs | code)
-
ECS services should not have public IP addresses assigned to them automatically (docs | code)
-
ECS task definitions should have a logging configuration (docs | code)
-
Secrets should not be passed as container environment variables (docs | code)
-
ECS containers should be limited to read-only access to root filesystems (docs | code)
-
ECS task definitions should not share the host's process namespace (docs | code)
-
Amazon ECS task definitions should have secure networking modes and user definitions (docs | code)
-
EKS clusters should have audit logging enabled (docs | code)
-
EKS clusters should use encrypted Kubernetes secrets (docs | code)
-
EKS cluster endpoints should not be publicly accessible (docs | code)
-
EKS clusters should run on a supported Kubernetes version (docs | code)
-
Amazon ElastiCache for Redis cluster should have automatic backups scheduled (docs | code)
-
Amazon ElastiCache for Redis cluster should have automatic minor version upgrades enabled (docs | code)
-
Amazon ElastiCache for Redis cluster should not use the default subnet group (docs | code)
-
Amazon ElastiCache for Redis replication-group should have automatic failovers enabled (docs | code)
-
Amazon ElastiCache for Redis replication groups should have encryption at rest enabled (docs | code)
-
Amazon ElastiCache for Redis replication groups should have encryption at transit enabled (docs | code)
-
Amazon ElastiCache for Redis replication groups should have auth token set when redis version is belxow 6.0 (docs | code)
-
Amazon Elastic Beanstalk environments should have cloudwatch log streaming enabled (docs | code)
-
Amazon Elastic Beanstalk environments should have enhanced health reporting enabled (docs | code)
-
Amazon Elastic Beanstalk environments should have managed platform updates enabled (docs | code)
-
Elasticsearch domains should have audit logging enabled (docs | code)
-
Elasticsearch domains should have at least three data nodes (docs | code)
-
AWS Elasticsearch domain should be encrypted at rest (docs | code)
-
Connections to Elasticsearch domains should be encrypted using the latest TLS security policy (docs | code)
-
AWS Elasticsearch domain should not be publicly accessible (docs | code)
-
Elasticsearch domain error logging to CloudWatch Logs should be enabled (docs | code)
-
AWS Elasticsearch domain should be encrypt data between nodes (docs | code)
-
Elasticsearch domains should be configured with at least three dedicated master nodes (docs | code)
-
Classic Load Balancer listeners should be configured with HTTPS or TLS termination (docs | code)
-
Classic Load Balancers should have connection draining enabled (docs | code)
-
Classic Load Balancers should have cross-zone load balancing enabled (docs | code)
-
Application Load Balancer should be configured to drop http headers (docs | code)
-
Application and Classic Load Balancers logging should be enabled (docs | code)
-
Application, Gateway, and Network Load Balancers should have deletion protection enabled (docs | code)
-
Application Load Balancer should be configured to redirect all HTTP requests to HTTPS (docs | code)
-
Classic Load Balancer should span multiple Availability Zones (docs | code)
-
Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager (docs | code)
-
Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration (docs | code)
-
Application Load Balancer should be configured with defensive or strictest desync mitigation mode (docs | code)
-
Classic Load Balancer should be configured with defensive or strictest desync mitigation mode (docs | code)
-
Amazon EMR block public access setting should be enabled (docs | code)
-
EventBridge custom event buses should have a resource-based policy attached (docs | code)
-
FSx for Lustre file systems should be configured to copy tags to backups (docs | code)
-
FSx for OpenZFS file systems should be configured to copy tags to backups and volumes (docs | code)
-
GuardDuty EKS Audit Log Monitoring should be enabled (docs | code)
-
GuardDuty EKS Runtime Monitoring should be enabled (docs | code)
-
GuardDuty Malware Protection for EC2 should be enabled (docs | code)
-
IAM policies should not allow full "*" administrative privileges (docs | code)
-
IAM users should not have IAM policies attached (docs | code)
-
Password policies for IAM users should have strong configurations (docs | code)
-
IAM customer managed policies that you create should not allow wildcard actions for services (docs | code)
-
Firehose delivery streams should be encrypted at rest (docs | code)
-
KMS restrict IAM inline policies decrypt all KMS keys (docs | code)
-
Lambda function policies should prohibit public access (docs | code)
-
Lambda functions should use supported runtimes (docs | code)
-
VPC Lambda functions should operate in multiple Availability Zones (docs | code)
-
AWS Macie Account should have the status attribute set to "ENABLED" (docs | code)
-
AWS MQ Broker should have the auto_minor_version_upgrade attribute set to true (docs | code)
-
ActiveMQ brokers should stream audit logs to CloudWatch (docs | code)
-
AWS MQ Broker should have the in_cluster attribute set to true for encryption_in_transit of encryption_info attribute (docs | code)
-
Neptune DB clusters should publish audit logs to cloudwatch (docs | code)
-
Neptune DB clusters should have automated backups enabled (docs | code)
-
Neptune DB clusters should should be configured to copy tags to snapshots (docs | code)
-
Neptune DB clusters should have IAM database authentication enabled (docs | code)
-
Neptune DB clusters should have deletion protection enabled (docs | code)
-
Neptune DB clusters should be encrypted at rest (docs | code)
-
Neptune DB cluster snapshots should be encrypted at rest (docs | code)
-
The default stateless action for Network Firewall policies should be drop or forward for fragmented packets (docs | code)
-
Network Firewall policy default action full packets (docs | code)
-
Network Firewall policies should have at least one rule group associated (docs | code)
-
Network Firewall firewalls should have deletion protection enabled (docs | code)
-
Stateless Network Firewall rule group should not be empty in AWS Network Firewall (docs | code)
-
AWS OpenSearch domains should have fine-grained access control enabled (docs | code)
-
AWS OpenSearch should have the enabled in log_publisging_options attribute set to true and log_type set to 'AUDIT_LOGS' (docs | code)
-
AWS OpenSearch should have the instance count in cluster_config attribute greater than or equal to 3 (docs | code)
-
AWS OpenSearch Domain should have the enabled in encrypt_at_rest attribute set to true (docs | code)
-
Connections to AWS OpenSearch domains should be encrypted using the latest TLS security policy (docs | code)
-
OpenSearch domains should not be publicly accessible (docs | code)
-
AWS OpenSearch should have the enabled in log_publisging_options attribute set to true (docs | code)
-
AWS OpenSearch should have the enabled in node-to-node-encryption attribute set to true (docs | code)
-
AWS OpenSearch domains should have the latest software update installed (docs | code)
-
AWS RDS Aurora MySQL Cluster should contain 'audit' for enabled_cloudwatch_logs_exports attribute (docs | code)
-
AWS RDS cluster snapshots and database snapshots should be encrypted at rest (docs | code)
-
AWS RDS cluster should be configured to copy tags to snapshots (docs | code)
-
AWS RDS Cluster should have the master_username attribute not set to 'admin' (default_value) (docs | code)
-
AWS RDS Cluster should have the storage_encrypted attribute set to true (docs | code)
-
AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Cluster resource (docs | code)
-
AWS RDS DB instances should have encryption at-rest enabled (docs | code)
-
AWS RDS DB instances should have automatic backups enabled (docs | code)
-
AWS RDS DB instances should have automatic minor version upgrade enabled (docs | code)
-
AWS RDS instance should have logging configured (docs | code)
-
AWS RDS cluster should have backtracking enabled (docs | code)
-
AWS RDS cluster ensure deletion protection enabled (docs | code)
-
AWS RDS cluster ensure IAM authentication configured (docs | code)
-
AWS RDS cluster should be configured for multiple Availability Zones (docs | code)
-
AWS RDS instance ensure deletion protection enabled (docs | code)
-
AWS RDS instance ensure IAM authentication configured (docs | code)
-
AWS RDS instance should have monitoring configured (docs | code)
-
AWS RDS instance should be configured with Multi AZ (docs | code)
-
RDS instances should not use a database engine default port (docs | code)
-
AWS RDS DB instances should be configured to copy tags to snapshots (docs | code)
-
AWS RDS DB Instance should have the username attribute not set to 'admin' (default_value) (docs | code)
-
AWS DB RDS instances should be deployed in a VPC (docs | code)
-
AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Instance resource (docs | code)
-
AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Parameter Group resource (docs | code)
-
AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Security Group resource (docs | code)
-
AWS Redshift Cluster should have the enable attribute set to true in logging or referenced to the resource 'aws_redshift_logging' (docs | code)
-
AWS Redshift clusters should have automated_snapshot_retention_period set between '7 to 35' (docs | code)
-
AWS Redshift Cluster should have the master_username attribute not set to null or 'awsuser' (default_value) (docs | code)
-
AWS Redshift Cluster should have the database_name attribute not set to 'dev' (default_value) (docs | code)
-
AWS Redshift Cluster should have the enhanced_vpc_routing attribute set to true (docs | code)
-
AWS Redshift Cluster should have the allow_version_upgrade attribute set to true (docs | code)
-
AWS Redshift Cluster should have the publicly_accessable attribute set to false (docs | code)
-
AWS Redshift Cluster should have the encrypted attribute set to true (docs | code)
-
AWS Redshift Cluster should have the require_ssl parameter in the AWS Redshift Parameter Group set to true (docs | code)
-
Redshift security groups should allow ingress on the cluster port only from restricted origins (docs | code)
-
S3 access points should have block public access settings enabled (docs | code)
-
S3 general purpose buckets should have block public access settings enabled (docs | code)
-
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (docs | code)
-
S3 general purpose buckets should block public read access (docs | code)
-
S3 general purpose buckets should block public write access (docs | code)
-
S3 general purpose bucket policies should restrict access to other AWS accounts (docs | code)
-
Ensure S3 Bucket Policy is set to deny HTTP requests (docs | code)
-
AWS Sagemaker Endpoint Configuration should have the initial_instance_count greater than one for the production_variants atribute (docs | code)
-
AWS Sagemaker Notebook instance should be launched in custom vpc (docs | code)
-
AWS Sagemaker Notebook instance should have the root_access set to "Disabled" (docs | code)
-
AWS Sagemaker Notebook instance should have the direct_internet_access set to "Disabled" (docs | code)
-
Secrets Manager secrets should have automatic rotation enabled (docs | code)
-
Service Catalog portfolios should be shared within an AWS organization only (docs | code)
-
SQS queue access policies should not allow public access (docs | code)
-
Step Functions state machines should have logging turned on (docs | code)
-
Transfer Family servers should not use FTP protocol for endpoint connection (docs | code)
-
AWS WAF Classic Global Web ACL logging should be enabled (docs | code)
-
AWS WAF Classic global rules should have at least one condition (docs | code)
-
AWS WAF Classic global rule groups should have at least one rule (docs | code)
-
AWS WAF Classic global web ACLs should have at least one rule or rule group (docs | code)
-
AWS WAF Classic Regional rules should have at least one condition (docs | code)
-
AWS WAF Classic Regional rule groups should have at least one rule (docs | code)
-
AWS WAF Classic Regional web ACLs should have at least one rule or rule group (docs | code)
-
AWS WAF rules should have CloudWatch metrics enabled (docs | code)
-
AWS WAF web ACLs should have at least one rule or rule group (docs | code)