My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Cloudformation Guard Rules for Amazon FSx

CloudFormation guard rules template for FSx resources

The following rules are included: 

  • Automated Backups Enabled
  • KMS Encryption At-Rest
  • Multi-AZ Deployment

let fsx_filesystems = Resources.*[
	Type == "AWS::FSx::FileSystem"
]

rule fsx_automated_backups when %fsx_filesystems !empty {
	%fsx_filesystems {
		Properties {
			when FileSystemType == "LUSTRE" {
				LustreConfiguration exists <<LustreConfiguration is not configured. (i.e disabled)>>
				when LustreConfiguration exists {
					LustreConfiguration {
						when DeploymentType exists 
						DeploymentType == "PERSISTENT_1" {
							AutomaticBackupRetentionDays exists <<AutomaticBackupRetentionDays is not configured. (i.e disabled)>>
							when AutomaticBackupRetentionDays exists {
								AutomaticBackupRetentionDays > 0 <<Automated backups are disabled.>>
							}
						}
					}
				}
			}

			when FileSystemType == "ONTAP" {
				OntapConfiguration {
					AutomaticBackupRetentionDays exists <<AutomaticBackupRetentionDays is not configured. (i.e disabled)>>
					when AutomaticBackupRetentionDays exists {
						AutomaticBackupRetentionDays > 0 <<Automated backups are disabled.>>
					}
				}
			}

			when FileSystemType == "OPENZFS" {
				OpenZFSConfiguration {
					AutomaticBackupRetentionDays exists <<AutomaticBackupRetentionDays is not configured. (i.e disabled)>>
					when AutomaticBackupRetentionDays exists {
						AutomaticBackupRetentionDays > 0 <<Automated backups are disabled.>>
					}
				}
			}

			when FileSystemType == "WINDOWS" {
				WindowsConfiguration {
					AutomaticBackupRetentionDays !exists OR
					AutomaticBackupRetentionDays exists
					when AutomaticBackupRetentionDays exists {
						AutomaticBackupRetentionDays > 0 <<Automated backups are disabled.>>
					}
				}
			}
		}
	}
}

rule fsx_encryption_customer_cmk when %fsx_filesystems !empty {
	%fsx_filesystems {
		Properties {
			when FileSystemType IN ["WINDOWS", "ONTAP"] {
				KmsKeyId exists <<Amazon FSx-managed key is used.>>
			}

			when FileSystemType == "LUSTRE" {
				when LustreConfiguration.DeploymentType exists
				LustreConfiguration.DeploymentType IN ["PERSISTENT_1", "PERSISTENT_2"] {
					KmsKeyId exists <<Amazon FSx-managed key is used.>>
				}
			}
		}
	}
}

rule fsx_multi_az when %fsx_filesystems !empty {
	%fsx_filesystems {
		Properties {
			when FileSystemType == "ONTAP" {
				OntapConfiguration {
					DeploymentType == "MULTI_AZ_1" <<Multi-AZ deployment is not configured.>>
				}
			}

			when FileSystemType == "WINDOWS" {
				WindowsConfiguration {
					DeploymentType exists <<Multi-AZ deployment is not configured.>>
					when DeploymentType exists {
						DeploymentType == "MULTI_AZ_1" <<Multi-AZ deployment is not configured.>>
					}
				}
			}
		}
	}
}

Actions



Customize Template

* Required field

© 2024 asecurecloud. All rights reserved.