You must be logged in to view saved presets
Cloudformation Guard Rules for EC2
CloudFormation guard rules template for EC2 resources
The following rules are included:
- EBS Encryption Enabled
- EC2 Termination Protection Enabled
- EC2 EBS Optimization Enabled
- EC2 Attached Volume Delete-On Termination enabled
- Detailed Monitoring Enabled
- EC2 IAM Instance Profile Attached
let ebs_volumes = Resources.*[
Type == "AWS::EC2::Volume"
]
let ec2_instances = Resources.*[
Type == "AWS::EC2::Instance"
]
rule ec2_ebs_encryption when %ebs_volumes !empty OR %ec2_instances !empty {
when %ebs_volumes !empty {
%ebs_volumes {
Properties {
Encrypted exists <<Encryption not configured. (Defaults to region default settings.)>>
when Encrypted exists {
Encrypted == true <<Encryption is disabled.>>
}
}
}
}
when %ec2_instances !empty {
%ec2_instances {
Properties {
when BlockDeviceMappings exists {
BlockDeviceMappings.* {
when Ebs exists {
Ebs {
Encrypted exists <<Encryption not configured. (Defaults to region default settings.)>>
when Encrypted exists {
Encrypted == true <<Encryption is disabled.>>
}
}
}
}
}
}
}
}
}
rule ec2_termination_protection when %ec2_instances !empty {
%ec2_instances {
Properties {
DisableApiTermination !exists OR
DisableApiTermination exists
when DisableApiTermination exists {
DisableApiTermination == true <<Termination protection is disabled.>>
}
}
}
}
rule ec2_instance_ebs_optimized when %ec2_instances !empty {
%ec2_instances {
Properties {
EbsOptimized exists <<EbsOptimized is not configured. (i.e. disabled)>>
when EbsOptimized exists {
EbsOptimized == true <<EbsOptimized is disabled.>>
}
}
}
}
rule ec2_ebs_attached_volume_delete_on_termination_enabled when %ec2_instances !empty {
%ec2_instances {
Properties {
when BlockDeviceMappings exists {
BlockDeviceMappings.* {
when Ebs exists {
Ebs {
DeleteOnTermination !exists OR
DeleteOnTermination exists
when DeleteOnTermination exists {
DeleteOnTermination == true <<DeleteOnTermination is disabled.>>
}
}
}
}
}
}
}
}
rule ec2_instance_detailed_monitoring_enabled when %ec2_instances !empty {
%ec2_instances {
Properties {
Monitoring exists <<Monitoring is not configured. (i.e. disabled)>>
when Monitoring exists {
Monitoring == true <<Enhanced monitoring is disabled.>>
}
}
}
}
rule ec2_iam_associated when %ec2_instances !empty {
%ec2_instances {
Properties {
IamInstanceProfile exists <<IamInstanceProfile is not configured. (i.e. disabled)>>
}
}
}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.