ai-development-patterns/examples/policy-generation/config_rules.yml at main · PaulDuvall/ai-development-patterns · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
# AWS Config Rules for AI Development Platform Compliance
# Generated from compliance requirements using AI assistance

AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS Config Rules for AI Development Platform Security and Compliance'

Resources:
  # S3 Bucket Security Rules
  S3BucketPublicAccessProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-public-access-prohibited
      Description: 'Checks that Amazon S3 buckets do not allow public access'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_ACCESS_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket

  S3BucketSSLRequestsOnly:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-ssl-requests-only
      Description: 'Checks whether S3 buckets have policies that require requests to use SSL'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_SSL_REQUESTS_ONLY
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket

  S3BucketServerSideEncryptionEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-server-side-encryption-enabled
      Description: 'Checks that your S3 bucket either has encryption configured or uses the bucket default encryption'
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket

  # RDS Database Security Rules
  RDSInstancePubliclyAccessible:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: rds-instance-public-read-prohibited
      Description: 'Checks whether Amazon RDS instances are not publicly accessible'
      Source:
        Owner: AWS
        SourceIdentifier: RDS_INSTANCE_PUBLIC_READ_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBInstance

  RDSStorageEncrypted:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: rds-storage-encrypted
      Description: 'Checks whether storage encryption is enabled for your RDS DB instances'
      Source:
        Owner: AWS
        SourceIdentifier: RDS_STORAGE_ENCRYPTED
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBInstance

  RDSSnapshotPublic:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: rds-snapshot-public-prohibited
      Description: 'Checks if Amazon RDS snapshots are public'
      Source:
        Owner: AWS
        SourceIdentifier: RDS_SNAPSHOT_PUBLIC_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBSnapshot
          - AWS::RDS::DBClusterSnapshot

  # EC2 Instance Security Rules
  EC2InstanceNoPublicIP:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: ec2-instance-no-public-ip
      Description: 'Checks whether Amazon EC2 instances have a public IP association'
      Source:
        Owner: AWS
        SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Instance

  EC2SecurityGroupSSHRestricted:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: incoming-ssh-disabled
      Description: 'Checks whether security groups disallow unrestricted incoming SSH traffic'
      Source:
        Owner: AWS
        SourceIdentifier: INCOMING_SSH_DISABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup

  EC2InstanceDetailedMonitoringEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: ec2-instance-detailed-monitoring-enabled
      Description: 'Checks whether detailed monitoring is enabled for EC2 instances'
      Source:
        Owner: AWS
        SourceIdentifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::Instance

  # IAM Security Rules
  IAMPasswordPolicy:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: iam-password-policy
      Description: 'Checks whether the account password policy for IAM users meets the specified requirements'
      Source:
        Owner: AWS
        SourceIdentifier: IAM_PASSWORD_POLICY
      InputParameters: |
        {
          "RequireUppercaseCharacters": "true",
          "RequireLowercaseCharacters": "true",
          "RequireSymbols": "true",
          "RequireNumbers": "true",
          "MinimumPasswordLength": "12",
          "PasswordReusePrevention": "5",
          "MaxPasswordAge": "90"
        }

  IAMUserMFAEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: iam-user-mfa-enabled
      Description: 'Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled'
      Source:
        Owner: AWS
        SourceIdentifier: IAM_USER_MFA_ENABLED

  IAMRootAccessKeyCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: iam-root-access-key-check
      Description: 'Checks whether the root access key is available'
      Source:
        Owner: AWS
        SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK

  # VPC Security Rules
  VPCFlowLogsEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: vpc-flow-logs-enabled
      Description: 'Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for VPC'
      Source:
        Owner: AWS
        SourceIdentifier: VPC_FLOW_LOGS_ENABLED

  VPCDefaultSecurityGroupClosed:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: vpc-default-security-group-closed
      Description: 'Checks that the default security group of any VPC does not allow inbound or outbound traffic'
      Source:
        Owner: AWS
        SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
      Scope:
        ComplianceResourceTypes:
          - AWS::EC2::SecurityGroup

  # CloudTrail Logging Rules
  CloudTrailEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: cloudtrail-enabled
      Description: 'Checks whether AWS CloudTrail is enabled in your AWS account'
      Source:
        Owner: AWS
        SourceIdentifier: CLOUD_TRAIL_ENABLED

  CloudTrailLogFileValidationEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: cloudtrail-log-file-validation-enabled
      Description: 'Checks whether AWS CloudTrail creates a signed digest file with logs'
      Source:
        Owner: AWS
        SourceIdentifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED

  # KMS Encryption Rules
  KMSKeyRotationEnabled:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: cmk-backing-key-rotation-enabled
      Description: 'Checks whether key rotation is enabled for customer master key (CMK) in AWS Key Management Service'
      Source:
        Owner: AWS
        SourceIdentifier: CMK_BACKING_KEY_ROTATION_ENABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::KMS::Key

  # Lambda Function Security Rules
  LambdaFunctionPublicAccessProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: lambda-function-public-access-prohibited
      Description: 'Checks whether the Lambda function policy prohibits public access'
      Source:
        Owner: AWS
        SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::Lambda::Function

  LambdaInsideVPC:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: lambda-inside-vpc
      Description: 'Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud'
      Source:
        Owner: AWS
        SourceIdentifier: LAMBDA_INSIDE_VPC
      Scope:
        ComplianceResourceTypes:
          - AWS::Lambda::Function

  # Custom Config Rules for AI Development
  AIContainerImageScanRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: ai-container-image-scan-enabled
      Description: 'Checks whether ECR repositories have image scanning enabled for AI workloads'
      Source:
        Owner: AWS
        SourceIdentifier: ECR_PRIVATE_IMAGE_SCANNING_ENABLED
      Scope:
        ComplianceResourceTypes:
          - AWS::ECR::Repository

  AIDataEncryptionRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: ai-data-encryption-required
      Description: 'Custom rule to check AI training data is encrypted at rest and in transit'
      Source:
        Owner: AWS_CONFIG_RULE
        SourceIdentifier: arn:aws:lambda:us-east-1:123456789012:function:ai-data-encryption-check
      InputParameters: |
        {
          "requiredEncryption": "AES256",
          "transitEncryption": "TLS1.2"
        }

  # Compliance Aggregation
  ComplianceAggregatorRule:
    Type: AWS::Config::ConfigurationAggregator
    Properties:
      ConfigurationAggregatorName: ai-development-compliance-aggregator
      AccountAggregationSources:
        - AccountIds:
            - !Ref 'AWS::AccountId'
          AllAwsRegions: true
      OrganizationAggregationSource:
        AllAwsRegions: true
        RoleArn: !GetAtt ConfigAggregatorRole.Arn

  # IAM Role for Config Aggregator
  ConfigAggregatorRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/ConfigRole
      Policies:
        - PolicyName: ConfigAggregatorPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - config:PutAggregator
                  - config:GetAggregateComplianceDetailsByConfigRule
                  - config:GetAggregateConfigRuleComplianceSummary
                Resource: '*'

  # Remediation Actions
  S3BucketEncryptionRemediation:
    Type: AWS::Config::RemediationConfiguration
    Properties:
      ConfigRuleName: !Ref S3BucketServerSideEncryptionEnabled
      TargetType: SSM_DOCUMENT
      TargetId: AWSConfigRemediation-EnableS3BucketDefaultEncryption
      TargetVersion: '1'
      Parameters:
        AutomationAssumeRole:
          StaticValue: !GetAtt RemediationRole.Arn
        BucketName:
          ResourceValue: RESOURCE_ID
        SSEAlgorithm:
          StaticValue: AES256

  # IAM Role for Remediation
  RemediationRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ssm.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
      Policies:
        - PolicyName: S3RemediationPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:PutEncryptionConfiguration
                  - s3:GetEncryptionConfiguration
                Resource: '*'

Outputs:
  ConfigRuleNames:
    Description: 'List of deployed Config Rules'
    Value: !Join
      - ','
      - - !Ref S3BucketPublicAccessProhibited
        - !Ref RDSInstancePubliclyAccessible
        - !Ref EC2InstanceNoPublicIP
        - !Ref IAMPasswordPolicy
        - !Ref VPCFlowLogsEnabled
        - !Ref CloudTrailEnabled

  ComplianceAggregator:
    Description: 'Configuration Aggregator for compliance monitoring'
    Value: !Ref ComplianceAggregatorRule
    Export:
      Name: !Sub '${AWS::StackName}-ComplianceAggregator'