From 6d10a8b293254fa3422214c064e93dd0dc4de835 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 3 Oct 2022 09:17:23 -0700 Subject: [PATCH 1/6] Add some more resources without Tags property * AWS::KMS::Alias * AWS::SageMaker::NotebookInstanceLifecycleConfig * AWS::Lambda::Permission * AWS::Athena::NamedQuery * AWS::Athena::PreparedStatement * AWS::S3::BucketPolicy --- .../infrastructure-related/check-tags-present.guard | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/guard-examples/infrastructure-related/check-tags-present.guard b/guard-examples/infrastructure-related/check-tags-present.guard index 123768dc6..dd438dcf3 100644 --- a/guard-examples/infrastructure-related/check-tags-present.guard +++ b/guard-examples/infrastructure-related/check-tags-present.guard @@ -4,6 +4,12 @@ # let excluded_resources = [ /AWS::AmazonBroker/, + /AWS::KMS::Alias/, + /AWS::SageMaker::NotebookInstanceLifecycleConfig/, + /AWS::Lambda::Permission/, + /AWS::Athena::NamedQuery/, + /AWS::Athena::PreparedStatement/, + /AWS::S3::BucketPolicy/, /AWS::App*/ ] From 99d0c84a8ba1a2f29d77ebcbd4b4a8f0639aac9d Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 3 Oct 2022 09:49:23 -0700 Subject: [PATCH 2/6] Remove "common" tag guard Not all resources have a Tags property, this guard belongs in a separate rule unrelated to encryption for Dynamo. --- guard-examples/encryption/dynamodb-table-sse.guard | 7 ------- 1 file changed, 7 deletions(-) diff --git a/guard-examples/encryption/dynamodb-table-sse.guard b/guard-examples/encryption/dynamodb-table-sse.guard index f0c011fa1..3d518a947 100644 --- a/guard-examples/encryption/dynamodb-table-sse.guard +++ b/guard-examples/encryption/dynamodb-table-sse.guard @@ -1,10 +1,3 @@ -# -# Common rule, all resources must have Tags present on them -# -rule assert_all_resources_have_non_empty_tags { - Resources.*.Properties.Tags !empty -} - # # Select all DDB resources from the incoming template (payload) # From 6c6a1a5e523479189e6a05450c5bb6e829665c25 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 3 Oct 2022 12:21:52 -0700 Subject: [PATCH 3/6] Add resources without Tags property. From https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-resource-specification.html --- .../check-tags-present.guard | 412 +++++++++++++++++- 1 file changed, 409 insertions(+), 3 deletions(-) diff --git a/guard-examples/infrastructure-related/check-tags-present.guard b/guard-examples/infrastructure-related/check-tags-present.guard index dd438dcf3..51807f9d8 100644 --- a/guard-examples/infrastructure-related/check-tags-present.guard +++ b/guard-examples/infrastructure-related/check-tags-present.guard @@ -4,12 +4,418 @@ # let excluded_resources = [ /AWS::AmazonBroker/, - /AWS::KMS::Alias/, - /AWS::SageMaker::NotebookInstanceLifecycleConfig/, - /AWS::Lambda::Permission/, + /AWS::ACMPCA::Certificate/, + /AWS::ACMPCA::CertificateAuthorityActivation/, + /AWS::ACMPCA::Permission/, + /AWS::AmazonMQ::ConfigurationAssociation/, + /AWS::Amplify::Domain/, + /AWS::ApiGateway::Account/, + /AWS::ApiGateway::Authorizer/, + /AWS::ApiGateway::BasePathMapping/, + /AWS::ApiGateway::Deployment/, + /AWS::ApiGateway::DocumentationPart/, + /AWS::ApiGateway::DocumentationVersion/, + /AWS::ApiGateway::GatewayResponse/, + /AWS::ApiGateway::Method/, + /AWS::ApiGateway::Model/, + /AWS::ApiGateway::RequestValidator/, + /AWS::ApiGateway::Resource/, + /AWS::ApiGateway::UsagePlanKey/, + /AWS::ApiGatewayV2::ApiGatewayManagedOverrides/, + /AWS::ApiGatewayV2::ApiMapping/, + /AWS::ApiGatewayV2::Authorizer/, + /AWS::ApiGatewayV2::Deployment/, + /AWS::ApiGatewayV2::Integration/, + /AWS::ApiGatewayV2::IntegrationResponse/, + /AWS::ApiGatewayV2::Model/, + /AWS::ApiGatewayV2::Route/, + /AWS::ApiGatewayV2::RouteResponse/, + /AWS::AppConfig::HostedConfigurationVersion/, + /AWS::AppFlow::ConnectorProfile/, + /AWS::AppStream::ApplicationEntitlementAssociation/, + /AWS::AppStream::ApplicationFleetAssociation/, + /AWS::AppStream::DirectoryConfig/, + /AWS::AppStream::Entitlement/, + /AWS::AppStream::StackFleetAssociation/, + /AWS::AppStream::StackUserAssociation/, + /AWS::AppStream::User/, + /AWS::AppSync::ApiCache/, + /AWS::AppSync::ApiKey/, + /AWS::AppSync::DataSource/, + /AWS::AppSync::DomainName/, + /AWS::AppSync::DomainNameApiAssociation/, + /AWS::AppSync::FunctionConfiguration/, + /AWS::AppSync::GraphQLSchema/, + /AWS::AppSync::Resolver/, + /AWS::ApplicationAutoScaling::ScalableTarget/, + /AWS::ApplicationAutoScaling::ScalingPolicy/, /AWS::Athena::NamedQuery/, /AWS::Athena::PreparedStatement/, + /AWS::AutoScaling::LaunchConfiguration/, + /AWS::AutoScaling::LifecycleHook/, + /AWS::AutoScaling::ScalingPolicy/, + /AWS::AutoScaling::ScheduledAction/, + /AWS::AutoScaling::WarmPool/, + /AWS::AutoScalingPlans::ScalingPlan/, + /AWS::Backup::BackupPlan/, + /AWS::Backup::BackupSelection/, + /AWS::Backup::BackupVault/, + /AWS::Backup::Framework/, + /AWS::Backup::ReportPlan/, + /AWS::Budgets::Budget/, + /AWS::Budgets::BudgetsAction/, + /AWS::CE::CostCategory/, + /AWS::CertificateManager::Account/, + /AWS::Chatbot::SlackChannelConfiguration/, + /AWS::CloudFormation::CustomResource/, + /AWS::CloudFormation::HookDefaultVersion/, + /AWS::CloudFormation::HookTypeConfig/, + /AWS::CloudFormation::HookVersion/, + /AWS::CloudFormation::Macro/, + /AWS::CloudFormation::ModuleDefaultVersion/, + /AWS::CloudFormation::ModuleVersion/, + /AWS::CloudFormation::PublicTypeVersion/, + /AWS::CloudFormation::Publisher/, + /AWS::CloudFormation::ResourceDefaultVersion/, + /AWS::CloudFormation::ResourceVersion/, + /AWS::CloudFormation::TypeActivation/, + /AWS::CloudFormation::WaitCondition/, + /AWS::CloudFormation::WaitConditionHandle/, + /AWS::CloudFront::CachePolicy/, + /AWS::CloudFront::CloudFrontOriginAccessIdentity/, + /AWS::CloudFront::Function/, + /AWS::CloudFront::KeyGroup/, + /AWS::CloudFront::OriginAccessControl/, + /AWS::CloudFront::OriginRequestPolicy/, + /AWS::CloudFront::PublicKey/, + /AWS::CloudFront::RealtimeLogConfig/, + /AWS::CloudFront::ResponseHeadersPolicy/, + /AWS::CloudWatch::Alarm/, + /AWS::CloudWatch::AnomalyDetector/, + /AWS::CloudWatch::CompositeAlarm/, + /AWS::CloudWatch::Dashboard/, + /AWS::CodeBuild::SourceCredential/, + /AWS::CodeDeploy::DeploymentConfig/, + /AWS::CodePipeline::Webhook/, + /AWS::CodeStar::GitHubRepository/, + /AWS::Cognito::IdentityPool/, + /AWS::Cognito::IdentityPoolRoleAttachment/, + /AWS::Cognito::UserPool/, + /AWS::Cognito::UserPoolClient/, + /AWS::Cognito::UserPoolDomain/, + /AWS::Cognito::UserPoolGroup/, + /AWS::Cognito::UserPoolIdentityProvider/, + /AWS::Cognito::UserPoolResourceServer/, + /AWS::Cognito::UserPoolRiskConfigurationAttachment/, + /AWS::Cognito::UserPoolUICustomizationAttachment/, + /AWS::Cognito::UserPoolUser/, + /AWS::Cognito::UserPoolUserToGroupAttachment/, + /AWS::Config::ConfigRule/, + /AWS::Config::ConfigurationRecorder/, + /AWS::Config::ConformancePack/, + /AWS::Config::DeliveryChannel/, + /AWS::Config::OrganizationConfigRule/, + /AWS::Config::OrganizationConformancePack/, + /AWS::Config::RemediationConfiguration/, + /AWS::ControlTower::EnabledControl/, + /AWS::DAX::ParameterGroup/, + /AWS::DAX::SubnetGroup/, + /AWS::DMS::Certificate/, + /AWS::DataPipeline::Pipeline/, + /AWS::Detective::MemberInvitation/, + /AWS::DevOpsGuru::NotificationChannel/, + /AWS::DevOpsGuru::ResourceCollection/, + /AWS::DirectoryService::MicrosoftAD/, + /AWS::DirectoryService::SimpleAD/, + /AWS::DynamoDB::GlobalTable/, + /AWS::EC2::CapacityReservation/, + /AWS::EC2::CapacityReservationFleet/, + /AWS::EC2::ClientVpnAuthorizationRule/, + /AWS::EC2::ClientVpnEndpoint/, + /AWS::EC2::ClientVpnRoute/, + /AWS::EC2::ClientVpnTargetNetworkAssociation/, + /AWS::EC2::EC2Fleet/, + /AWS::EC2::EIPAssociation/, + /AWS::EC2::EgressOnlyInternetGateway/, + /AWS::EC2::EnclaveCertificateIamRoleAssociation/, + /AWS::EC2::GatewayRouteTableAssociation/, + /AWS::EC2::Host/, + /AWS::EC2::IPAMAllocation/, + /AWS::EC2::LaunchTemplate/, + /AWS::EC2::LocalGatewayRoute/, + /AWS::EC2::NetworkAclEntry/, + /AWS::EC2::NetworkInterfaceAttachment/, + /AWS::EC2::NetworkInterfacePermission/, + /AWS::EC2::PlacementGroup/, + /AWS::EC2::Route/, + /AWS::EC2::SecurityGroupEgress/, + /AWS::EC2::SecurityGroupIngress/, + /AWS::EC2::SpotFleet/, + /AWS::EC2::SubnetCidrBlock/, + /AWS::EC2::SubnetNetworkAclAssociation/, + /AWS::EC2::SubnetRouteTableAssociation/, + /AWS::EC2::TrafficMirrorFilterRule/, + /AWS::EC2::TransitGatewayMulticastDomainAssociation/, + /AWS::EC2::TransitGatewayMulticastGroupMember/, + /AWS::EC2::TransitGatewayMulticastGroupSource/, + /AWS::EC2::TransitGatewayRoute/, + /AWS::EC2::TransitGatewayRouteTableAssociation/, + /AWS::EC2::TransitGatewayRouteTablePropagation/, + /AWS::EC2::VPCCidrBlock/, + /AWS::EC2::VPCDHCPOptionsAssociation/, + /AWS::EC2::VPCEndpoint/, + /AWS::EC2::VPCEndpointConnectionNotification/, + /AWS::EC2::VPCEndpointService/, + /AWS::EC2::VPCEndpointServicePermissions/, + /AWS::EC2::VPCGatewayAttachment/, + /AWS::EC2::VPNConnectionRoute/, + /AWS::EC2::VPNGatewayRoutePropagation/, + /AWS::EC2::VolumeAttachment/, + /AWS::ECR::PullThroughCacheRule/, + /AWS::ECR::RegistryPolicy/, + /AWS::ECR::ReplicationConfiguration/, + /AWS::ECS::ClusterCapacityProviderAssociations/, + /AWS::ECS::PrimaryTaskSet/, + /AWS::ECS::TaskSet/, + /AWS::EFS::AccessPoint/, + /AWS::EFS::FileSystem/, + /AWS::EFS::MountTarget/, + /AWS::EMR::InstanceFleetConfig/, + /AWS::EMR::InstanceGroupConfig/, + /AWS::EMR::SecurityConfiguration/, + /AWS::EMR::Step/, + /AWS::EMR::StudioSessionMapping/, + /AWS::ElastiCache::GlobalReplicationGroup/, + /AWS::ElastiCache::SecurityGroupIngress/, + /AWS::ElastiCache::User/, + /AWS::ElastiCache::UserGroup/, + /AWS::ElasticBeanstalk::Application/, + /AWS::ElasticBeanstalk::ApplicationVersion/, + /AWS::ElasticBeanstalk::ConfigurationTemplate/, + /AWS::ElasticLoadBalancingV2::Listener/, + /AWS::ElasticLoadBalancingV2::ListenerCertificate/, + /AWS::ElasticLoadBalancingV2::ListenerRule/, + /AWS::EventSchemas::RegistryPolicy/, + /AWS::Events::ApiDestination/, + /AWS::Events::Archive/, + /AWS::Events::Connection/, + /AWS::Events::Endpoint/, + /AWS::Events::EventBusPolicy/, + /AWS::Events::Rule/, + /AWS::FMS::NotificationChannel/, + /AWS::FinSpace::Environment/, + /AWS::GameLift::Alias/, + /AWS::GameLift::Build/, + /AWS::GameLift::Fleet/, + /AWS::GlobalAccelerator::EndpointGroup/, + /AWS::GlobalAccelerator::Listener/, + /AWS::Glue::Classifier/, + /AWS::Glue::Connection/, + /AWS::Glue::DataCatalogEncryptionSettings/, + /AWS::Glue::Database/, + /AWS::Glue::Partition/, + /AWS::Glue::SchemaVersion/, + /AWS::Glue::SchemaVersionMetadata/, + /AWS::Glue::SecurityConfiguration/, + /AWS::Glue::Table/, + /AWS::Greengrass::ConnectorDefinitionVersion/, + /AWS::Greengrass::CoreDefinitionVersion/, + /AWS::Greengrass::DeviceDefinitionVersion/, + /AWS::Greengrass::FunctionDefinitionVersion/, + /AWS::Greengrass::GroupVersion/, + /AWS::Greengrass::LoggerDefinitionVersion/, + /AWS::Greengrass::ResourceDefinitionVersion/, + /AWS::Greengrass::SubscriptionDefinitionVersion/, + /AWS::GuardDuty::Master/, + /AWS::GuardDuty::Member/, + /AWS::IAM::AccessKey/, + /AWS::IAM::Group/, + /AWS::IAM::InstanceProfile/, + /AWS::IAM::ManagedPolicy/, + /AWS::IAM::Policy/, + /AWS::IAM::ServiceLinkedRole/, + /AWS::IAM::UserToGroupAddition/, + /AWS::IdentityStore::Group/, + /AWS::IdentityStore::GroupMembership/, + /AWS::Inspector::AssessmentTarget/, + /AWS::Inspector::AssessmentTemplate/, + /AWS::Inspector::ResourceGroup/, + /AWS::InspectorV2::Filter/, + /AWS::IoT1Click::Device/, + /AWS::IoT1Click::Placement/, + /AWS::IoT1Click::Project/, + /AWS::IoT::AccountAuditConfiguration/, + /AWS::IoT::Certificate/, + /AWS::IoT::Logging/, + /AWS::IoT::Policy/, + /AWS::IoT::PolicyPrincipalAttachment/, + /AWS::IoT::ResourceSpecificLogging/, + /AWS::IoT::Thing/, + /AWS::IoT::ThingPrincipalAttachment/, + /AWS::IoT::TopicRuleDestination/, + /AWS::IoTSiteWise::AccessPolicy/, + /AWS::KMS::Alias/, + /AWS::KafkaConnect::Connector/, + /AWS::Kinesis::StreamConsumer/, + /AWS::KinesisAnalytics::Application/, + /AWS::KinesisAnalytics::ApplicationOutput/, + /AWS::KinesisAnalytics::ApplicationReferenceDataSource/, + /AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption/, + /AWS::KinesisAnalyticsV2::ApplicationOutput/, + /AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource/, + /AWS::LakeFormation::DataCellsFilter/, + /AWS::LakeFormation::DataLakeSettings/, + /AWS::LakeFormation::Permissions/, + /AWS::LakeFormation::PrincipalPermissions/, + /AWS::LakeFormation::Resource/, + /AWS::LakeFormation::Tag/, + /AWS::LakeFormation::TagAssociation/, + /AWS::Lambda::Alias/, + /AWS::Lambda::CodeSigningConfig/, + /AWS::Lambda::EventInvokeConfig/, + /AWS::Lambda::EventSourceMapping/, + /AWS::Lambda::LayerVersion/, + /AWS::Lambda::LayerVersionPermission/, + /AWS::Lambda::Permission/, + /AWS::Lambda::Url/, + /AWS::Lambda::Version/, + /AWS::LicenseManager::Grant/, + /AWS::LicenseManager::License/, + /AWS::Lightsail::Alarm/, + /AWS::Lightsail::LoadBalancerTlsCertificate/, + /AWS::Lightsail::StaticIp/, + /AWS::Location::GeofenceCollection/, + /AWS::Location::Map/, + /AWS::Location::PlaceIndex/, + /AWS::Location::RouteCalculator/, + /AWS::Location::Tracker/, + /AWS::Location::TrackerConsumer/, + /AWS::Logs::Destination/, + /AWS::Logs::LogStream/, + /AWS::Logs::MetricFilter/, + /AWS::Logs::QueryDefinition/, + /AWS::Logs::ResourcePolicy/, + /AWS::Logs::SubscriptionFilter/, + /AWS::LookoutMetrics::Alert/, + /AWS::LookoutMetrics::AnomalyDetector/, + /AWS::LookoutVision::Project/, + /AWS::MSK::BatchScramSecret/, + /AWS::MSK::Configuration/, + /AWS::Macie::CustomDataIdentifier/, + /AWS::Macie::FindingsFilter/, + /AWS::Macie::Session/, + /AWS::ManagedBlockchain::Member/, + /AWS::ManagedBlockchain::Node/, + /AWS::MediaConnect::Flow/, + /AWS::MediaConnect::FlowEntitlement/, + /AWS::MediaConnect::FlowOutput/, + /AWS::MediaConnect::FlowSource/, + /AWS::MediaConnect::FlowVpcInterface/, + /AWS::NetworkFirewall::LoggingConfiguration/, + /AWS::NetworkManager::CustomerGatewayAssociation/, + /AWS::NetworkManager::LinkAssociation/, + /AWS::NetworkManager::TransitGatewayRegistration/, + /AWS::OpsWorks::App/, + /AWS::OpsWorks::ElasticLoadBalancerAttachment/, + /AWS::OpsWorks::Instance/, + /AWS::OpsWorks::UserProfile/, + /AWS::OpsWorks::Volume/, + /AWS::Personalize::Dataset/, + /AWS::Personalize::DatasetGroup/, + /AWS::Personalize::Schema/, + /AWS::Personalize::Solution/, + /AWS::RDS::DBProxyTargetGroup/, + /AWS::RDS::DBSecurityGroupIngress/, + /AWS::RDS::GlobalCluster/, + /AWS::Redshift::ClusterSecurityGroupIngress/, + /AWS::Redshift::EndpointAccess/, + /AWS::Redshift::EndpointAuthorization/, + /AWS::Redshift::ScheduledAction/, + /AWS::Rekognition::Project/, + /AWS::RoboMaker::RobotApplicationVersion/, + /AWS::RoboMaker::SimulationApplicationVersion/, + /AWS::Route53::CidrCollection/, + /AWS::Route53::DNSSEC/, + /AWS::Route53::HealthCheck/, + /AWS::Route53::HostedZone/, + /AWS::Route53::KeySigningKey/, + /AWS::Route53::RecordSet/, + /AWS::Route53::RecordSetGroup/, + /AWS::Route53Resolver::ResolverConfig/, + /AWS::Route53Resolver::ResolverDNSSECConfig/, + /AWS::Route53Resolver::ResolverQueryLoggingConfig/, + /AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation/, + /AWS::Route53Resolver::ResolverRuleAssociation/, + /AWS::S3::AccessPoint/, /AWS::S3::BucketPolicy/, + /AWS::S3::MultiRegionAccessPoint/, + /AWS::S3::MultiRegionAccessPointPolicy/, + /AWS::S3ObjectLambda::AccessPoint/, + /AWS::S3ObjectLambda::AccessPointPolicy/, + /AWS::S3Outposts::AccessPoint/, + /AWS::S3Outposts::BucketPolicy/, + /AWS::S3Outposts::Endpoint/, + /AWS::SDB::Domain/, + /AWS::SES::ConfigurationSet/, + /AWS::SES::ConfigurationSetEventDestination/, + /AWS::SES::DedicatedIpPool/, + /AWS::SES::EmailIdentity/, + /AWS::SES::Template/, + /AWS::SNS::Subscription/, + /AWS::SNS::TopicPolicy/, + /AWS::SQS::QueuePolicy/, + /AWS::SSM::Association/, + /AWS::SSM::MaintenanceWindowTarget/, + /AWS::SSM::MaintenanceWindowTask/, + /AWS::SSM::ResourceDataSync/, + /AWS::SSMContacts::Contact/, + /AWS::SSMContacts::ContactChannel/, + /AWS::SSMIncidents::ReplicationSet/, + /AWS::SSO::Assignment/, + /AWS::SSO::InstanceAccessControlAttributeConfiguration/, + /AWS::SageMaker::ImageVersion/, + /AWS::SageMaker::NotebookInstanceLifecycleConfig/, + /AWS::SecretsManager::ResourcePolicy/, + /AWS::SecretsManager::RotationSchedule/, + /AWS::SecretsManager::SecretTargetAttachment/, + /AWS::ServiceCatalog::AcceptedPortfolioShare/, + /AWS::ServiceCatalog::LaunchNotificationConstraint/, + /AWS::ServiceCatalog::LaunchRoleConstraint/, + /AWS::ServiceCatalog::LaunchTemplateConstraint/, + /AWS::ServiceCatalog::PortfolioPrincipalAssociation/, + /AWS::ServiceCatalog::PortfolioProductAssociation/, + /AWS::ServiceCatalog::PortfolioShare/, + /AWS::ServiceCatalog::ResourceUpdateConstraint/, + /AWS::ServiceCatalog::ServiceAction/, + /AWS::ServiceCatalog::ServiceActionAssociation/, + /AWS::ServiceCatalog::StackSetConstraint/, + /AWS::ServiceCatalog::TagOption/, + /AWS::ServiceCatalog::TagOptionAssociation/, + /AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation/, + /AWS::ServiceCatalogAppRegistry::ResourceAssociation/, + /AWS::ServiceDiscovery::Instance/, + /AWS::Signer::ProfilePermission/, + /AWS::WAF::ByteMatchSet/, + /AWS::WAF::IPSet/, + /AWS::WAF::Rule/, + /AWS::WAF::SizeConstraintSet/, + /AWS::WAF::SqlInjectionMatchSet/, + /AWS::WAF::WebACL/, + /AWS::WAF::XssMatchSet/, + /AWS::WAFRegional::ByteMatchSet/, + /AWS::WAFRegional::GeoMatchSet/, + /AWS::WAFRegional::IPSet/, + /AWS::WAFRegional::RateBasedRule/, + /AWS::WAFRegional::RegexPatternSet/, + /AWS::WAFRegional::Rule/, + /AWS::WAFRegional::SizeConstraintSet/, + /AWS::WAFRegional::SqlInjectionMatchSet/, + /AWS::WAFRegional::WebACL/, + /AWS::WAFRegional::WebACLAssociation/, + /AWS::WAFRegional::XssMatchSet/, + /AWS::WAFv2::LoggingConfiguration/, + /AWS::WAFv2::WebACLAssociation/, + /Alexa::ASK::Skill/, /AWS::App*/ ] From f899034949d736e57bb52fa5e0c7b632abef938c Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Mon, 3 Oct 2022 13:10:28 -0700 Subject: [PATCH 4/6] Added two resources without Tags outside us-east-1 There are four regions without Tags property for IoT::TopicRule There are four regions without Tags property for Logs::LogGroup --- guard-examples/infrastructure-related/check-tags-present.guard | 2 ++ 1 file changed, 2 insertions(+) diff --git a/guard-examples/infrastructure-related/check-tags-present.guard b/guard-examples/infrastructure-related/check-tags-present.guard index 51807f9d8..d6a2ba2d3 100644 --- a/guard-examples/infrastructure-related/check-tags-present.guard +++ b/guard-examples/infrastructure-related/check-tags-present.guard @@ -253,6 +253,7 @@ let excluded_resources = [ /AWS::IoT::Thing/, /AWS::IoT::ThingPrincipalAttachment/, /AWS::IoT::TopicRuleDestination/, + /AWS::IoT::TopicRule/, /AWS::IoTSiteWise::AccessPolicy/, /AWS::KMS::Alias/, /AWS::KafkaConnect::Connector/, @@ -291,6 +292,7 @@ let excluded_resources = [ /AWS::Location::Tracker/, /AWS::Location::TrackerConsumer/, /AWS::Logs::Destination/, + /AWS::Logs::LogGroup/, /AWS::Logs::LogStream/, /AWS::Logs::MetricFilter/, /AWS::Logs::QueryDefinition/, From 01bdc2e70959b5dd896398b0e3fa1476b977bf92 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 24 Oct 2024 10:44:53 -0700 Subject: [PATCH 5/6] update check-tags-present.guard Based on October 24, 2024 review --- .../check-tags-present.guard | 167 +++++++++++++++--- 1 file changed, 145 insertions(+), 22 deletions(-) diff --git a/guard-examples/infrastructure-related/check-tags-present.guard b/guard-examples/infrastructure-related/check-tags-present.guard index 225c721c4..b6f869fb4 100644 --- a/guard-examples/infrastructure-related/check-tags-present.guard +++ b/guard-examples/infrastructure-related/check-tags-present.guard @@ -4,9 +4,12 @@ # let excluded_resources = [ /AWS::AmazonBroker/, + /AMZN::SDC::Deployment/, /AWS::ACMPCA::Certificate/, /AWS::ACMPCA::CertificateAuthorityActivation/, /AWS::ACMPCA::Permission/, + /AWS::ARCZonalShift::AutoshiftObserverNotificationStatus/, + /AWS::ARCZonalShift::ZonalAutoshiftConfiguration/, /AWS::AmazonMQ::ConfigurationAssociation/, /AWS::Amplify::Domain/, /AWS::ApiGateway::Account/, @@ -31,6 +34,7 @@ let excluded_resources = [ /AWS::ApiGatewayV2::Route/, /AWS::ApiGatewayV2::RouteResponse/, /AWS::AppConfig::HostedConfigurationVersion/, + /AWS::AppFlow::Connector/, /AWS::AppFlow::ConnectorProfile/, /AWS::AppStream::ApplicationEntitlementAssociation/, /AWS::AppStream::ApplicationFleetAssociation/, @@ -47,6 +51,7 @@ let excluded_resources = [ /AWS::AppSync::FunctionConfiguration/, /AWS::AppSync::GraphQLSchema/, /AWS::AppSync::Resolver/, + /AWS::AppSync::SourceApiAssociation/, /AWS::ApplicationAutoScaling::ScalableTarget/, /AWS::ApplicationAutoScaling::ScalingPolicy/, /AWS::Athena::NamedQuery/, @@ -62,11 +67,17 @@ let excluded_resources = [ /AWS::Backup::BackupVault/, /AWS::Backup::Framework/, /AWS::Backup::ReportPlan/, + /AWS::Backup::RestoreTestingSelection/, + /AWS::Bedrock::DataSource/, + /AWS::Bedrock::FlowVersion/, + /AWS::Bedrock::GuardrailVersion/, /AWS::Budgets::Budget/, /AWS::Budgets::BudgetsAction/, + /AWS::CE::AnomalyMonitor/, + /AWS::CE::AnomalySubscription/, /AWS::CE::CostCategory/, + /AWS::CUR::ReportDefinition/, /AWS::CertificateManager::Account/, - /AWS::Chatbot::SlackChannelConfiguration/, /AWS::CloudFormation::CustomResource/, /AWS::CloudFormation::HookDefaultVersion/, /AWS::CloudFormation::HookTypeConfig/, @@ -83,23 +94,29 @@ let excluded_resources = [ /AWS::CloudFormation::WaitConditionHandle/, /AWS::CloudFront::CachePolicy/, /AWS::CloudFront::CloudFrontOriginAccessIdentity/, + /AWS::CloudFront::ContinuousDeploymentPolicy/, /AWS::CloudFront::Function/, /AWS::CloudFront::KeyGroup/, + /AWS::CloudFront::KeyValueStore/, + /AWS::CloudFront::MonitoringSubscription/, /AWS::CloudFront::OriginAccessControl/, /AWS::CloudFront::OriginRequestPolicy/, /AWS::CloudFront::PublicKey/, /AWS::CloudFront::RealtimeLogConfig/, /AWS::CloudFront::ResponseHeadersPolicy/, - /AWS::CloudWatch::Alarm/, + /AWS::CloudTrail::ResourcePolicy/, /AWS::CloudWatch::AnomalyDetector/, - /AWS::CloudWatch::CompositeAlarm/, /AWS::CloudWatch::Dashboard/, /AWS::CodeBuild::SourceCredential/, /AWS::CodeDeploy::DeploymentConfig/, + /AWS::CodePipeline::CustomActionType/, /AWS::CodePipeline::Webhook/, /AWS::CodeStar::GitHubRepository/, + /AWS::CodeStarConnections::SyncConfiguration/, /AWS::Cognito::IdentityPool/, + /AWS::Cognito::IdentityPoolPrincipalTag/, /AWS::Cognito::IdentityPoolRoleAttachment/, + /AWS::Cognito::LogDeliveryConfiguration/, /AWS::Cognito::UserPool/, /AWS::Cognito::UserPoolClient/, /AWS::Cognito::UserPoolDomain/, @@ -117,16 +134,40 @@ let excluded_resources = [ /AWS::Config::OrganizationConfigRule/, /AWS::Config::OrganizationConformancePack/, /AWS::Config::RemediationConfiguration/, - /AWS::ControlTower::EnabledControl/, + /AWS::Connect::ApprovedOrigin/, + /AWS::Connect::InstanceStorageConfig/, + /AWS::Connect::IntegrationAssociation/, + /AWS::Connect::PredefinedAttribute/, + /AWS::Connect::SecurityKey/, + /AWS::Connect::UserHierarchyStructure/, + /AWS::Connect::ViewVersion/, /AWS::DAX::ParameterGroup/, /AWS::DAX::SubnetGroup/, /AWS::DMS::Certificate/, /AWS::DataPipeline::Pipeline/, + /AWS::DataZone::DataSource/, + /AWS::DataZone::Environment/, + /AWS::DataZone::EnvironmentActions/, + /AWS::DataZone::EnvironmentBlueprintConfiguration/, + /AWS::DataZone::EnvironmentProfile/, + /AWS::DataZone::GroupProfile/, + /AWS::DataZone::Project/, + /AWS::DataZone::ProjectMembership/, + /AWS::DataZone::SubscriptionTarget/, + /AWS::DataZone::UserProfile/, + /AWS::Deadline::MeteredProduct/, + /AWS::Deadline::Monitor/, + /AWS::Deadline::QueueEnvironment/, + /AWS::Deadline::QueueFleetAssociation/, + /AWS::Deadline::StorageProfile/, /AWS::Detective::MemberInvitation/, + /AWS::Detective::OrganizationAdmin/, + /AWS::DevOpsGuru::LogAnomalyDetectionIntegration/, /AWS::DevOpsGuru::NotificationChannel/, /AWS::DevOpsGuru::ResourceCollection/, /AWS::DirectoryService::MicrosoftAD/, /AWS::DirectoryService::SimpleAD/, + /AWS::DocDB::EventSubscription/, /AWS::DynamoDB::GlobalTable/, /AWS::EC2::CapacityReservation/, /AWS::EC2::CapacityReservationFleet/, @@ -141,20 +182,22 @@ let excluded_resources = [ /AWS::EC2::GatewayRouteTableAssociation/, /AWS::EC2::Host/, /AWS::EC2::IPAMAllocation/, + /AWS::EC2::IPAMPoolCidr/, /AWS::EC2::LaunchTemplate/, /AWS::EC2::LocalGatewayRoute/, /AWS::EC2::NetworkAclEntry/, /AWS::EC2::NetworkInterfaceAttachment/, /AWS::EC2::NetworkInterfacePermission/, + /AWS::EC2::NetworkPerformanceMetricSubscription/, /AWS::EC2::PlacementGroup/, /AWS::EC2::Route/, /AWS::EC2::SecurityGroupEgress/, /AWS::EC2::SecurityGroupIngress/, + /AWS::EC2::SnapshotBlockPublicAccess/, /AWS::EC2::SpotFleet/, /AWS::EC2::SubnetCidrBlock/, /AWS::EC2::SubnetNetworkAclAssociation/, /AWS::EC2::SubnetRouteTableAssociation/, - /AWS::EC2::TrafficMirrorFilterRule/, /AWS::EC2::TransitGatewayMulticastDomainAssociation/, /AWS::EC2::TransitGatewayMulticastGroupMember/, /AWS::EC2::TransitGatewayMulticastGroupSource/, @@ -174,9 +217,9 @@ let excluded_resources = [ /AWS::ECR::PullThroughCacheRule/, /AWS::ECR::RegistryPolicy/, /AWS::ECR::ReplicationConfiguration/, + /AWS::ECR::RepositoryCreationTemplate/, /AWS::ECS::ClusterCapacityProviderAssociations/, /AWS::ECS::PrimaryTaskSet/, - /AWS::ECS::TaskSet/, /AWS::EFS::AccessPoint/, /AWS::EFS::FileSystem/, /AWS::EFS::MountTarget/, @@ -187,14 +230,14 @@ let excluded_resources = [ /AWS::EMR::StudioSessionMapping/, /AWS::ElastiCache::GlobalReplicationGroup/, /AWS::ElastiCache::SecurityGroupIngress/, - /AWS::ElastiCache::User/, - /AWS::ElastiCache::UserGroup/, /AWS::ElasticBeanstalk::Application/, /AWS::ElasticBeanstalk::ApplicationVersion/, /AWS::ElasticBeanstalk::ConfigurationTemplate/, /AWS::ElasticLoadBalancingV2::Listener/, /AWS::ElasticLoadBalancingV2::ListenerCertificate/, /AWS::ElasticLoadBalancingV2::ListenerRule/, + /AWS::ElasticLoadBalancingV2::TrustStoreRevocation/, + /AWS::EntityResolution::PolicyStatement/, /AWS::EventSchemas::RegistryPolicy/, /AWS::Events::ApiDestination/, /AWS::Events::Archive/, @@ -202,8 +245,8 @@ let excluded_resources = [ /AWS::Events::Endpoint/, /AWS::Events::EventBusPolicy/, /AWS::Events::Rule/, + /AWS::FIS::TargetAccountConfiguration/, /AWS::FMS::NotificationChannel/, - /AWS::FinSpace::Environment/, /AWS::GameLift::Alias/, /AWS::GameLift::Build/, /AWS::GameLift::Fleet/, @@ -218,6 +261,8 @@ let excluded_resources = [ /AWS::Glue::SchemaVersionMetadata/, /AWS::Glue::SecurityConfiguration/, /AWS::Glue::Table/, + /AWS::Glue::TableOptimizer/, + /AWS::Grafana::Workspace/, /AWS::Greengrass::ConnectorDefinitionVersion/, /AWS::Greengrass::CoreDefinitionVersion/, /AWS::Greengrass::DeviceDefinitionVersion/, @@ -228,12 +273,16 @@ let excluded_resources = [ /AWS::Greengrass::SubscriptionDefinitionVersion/, /AWS::GuardDuty::Master/, /AWS::GuardDuty::Member/, + /AWS::GuardDuty::PublishingDestination/, /AWS::IAM::AccessKey/, /AWS::IAM::Group/, + /AWS::IAM::GroupPolicy/, /AWS::IAM::InstanceProfile/, /AWS::IAM::ManagedPolicy/, /AWS::IAM::Policy/, + /AWS::IAM::RolePolicy/, /AWS::IAM::ServiceLinkedRole/, + /AWS::IAM::UserPolicy/, /AWS::IAM::UserToGroupAddition/, /AWS::IdentityStore::Group/, /AWS::IdentityStore::GroupMembership/, @@ -252,11 +301,12 @@ let excluded_resources = [ /AWS::IoT::ResourceSpecificLogging/, /AWS::IoT::Thing/, /AWS::IoT::ThingPrincipalAttachment/, - /AWS::IoT::TopicRuleDestination/, /AWS::IoT::TopicRule/, + /AWS::IoT::TopicRuleDestination/, /AWS::IoTSiteWise::AccessPolicy/, + /AWS::IoTThingsGraph::FlowTemplate/, /AWS::KMS::Alias/, - /AWS::KafkaConnect::Connector/, + /AWS::Kinesis::ResourcePolicy/, /AWS::Kinesis::StreamConsumer/, /AWS::KinesisAnalytics::Application/, /AWS::KinesisAnalytics::ApplicationOutput/, @@ -272,27 +322,27 @@ let excluded_resources = [ /AWS::LakeFormation::Tag/, /AWS::LakeFormation::TagAssociation/, /AWS::Lambda::Alias/, - /AWS::Lambda::CodeSigningConfig/, /AWS::Lambda::EventInvokeConfig/, /AWS::Lambda::EventSourceMapping/, /AWS::Lambda::LayerVersion/, /AWS::Lambda::LayerVersionPermission/, /AWS::Lambda::Permission/, + /AWS::Lambda::ResourcePolicy/, /AWS::Lambda::Url/, /AWS::Lambda::Version/, + /AWS::Lex::Bot/, + /AWS::Lex::BotAlias/, + /AWS::Lex::BotVersion/, + /AWS::Lex::ResourcePolicy/, /AWS::LicenseManager::Grant/, /AWS::LicenseManager::License/, /AWS::Lightsail::Alarm/, /AWS::Lightsail::LoadBalancerTlsCertificate/, /AWS::Lightsail::StaticIp/, - /AWS::Location::GeofenceCollection/, - /AWS::Location::Map/, - /AWS::Location::PlaceIndex/, - /AWS::Location::RouteCalculator/, - /AWS::Location::Tracker/, /AWS::Location::TrackerConsumer/, + /AWS::Logs::AccountPolicy/, /AWS::Logs::Destination/, - /AWS::Logs::LogGroup/, + /AWS::Logs::LogAnomalyDetector/, /AWS::Logs::LogStream/, /AWS::Logs::MetricFilter/, /AWS::Logs::QueryDefinition/, @@ -302,38 +352,72 @@ let excluded_resources = [ /AWS::LookoutMetrics::AnomalyDetector/, /AWS::LookoutVision::Project/, /AWS::MSK::BatchScramSecret/, + /AWS::MSK::ClusterPolicy/, /AWS::MSK::Configuration/, - /AWS::Macie::CustomDataIdentifier/, - /AWS::Macie::FindingsFilter/, /AWS::Macie::Session/, /AWS::ManagedBlockchain::Member/, /AWS::ManagedBlockchain::Node/, + /AWS::MediaConnect::Bridge/, + /AWS::MediaConnect::BridgeOutput/, + /AWS::MediaConnect::BridgeSource/, /AWS::MediaConnect::Flow/, /AWS::MediaConnect::FlowEntitlement/, /AWS::MediaConnect::FlowOutput/, /AWS::MediaConnect::FlowSource/, /AWS::MediaConnect::FlowVpcInterface/, + /AWS::MediaConnect::Gateway/, + /AWS::MediaLive::Multiplexprogram/, + /AWS::MediaPackageV2::ChannelPolicy/, + /AWS::MediaPackageV2::OriginEndpointPolicy/, + /AWS::MediaTailor::ChannelPolicy/, + /AWS::Neptune::EventSubscription/, + /AWS::NeptuneGraph::PrivateGraphEndpoint/, /AWS::NetworkFirewall::LoggingConfiguration/, /AWS::NetworkManager::CustomerGatewayAssociation/, /AWS::NetworkManager::LinkAssociation/, /AWS::NetworkManager::TransitGatewayRegistration/, + /AWS::OpenSearchServerless::AccessPolicy/, + /AWS::OpenSearchServerless::LifecyclePolicy/, + /AWS::OpenSearchServerless::SecurityConfig/, + /AWS::OpenSearchServerless::SecurityPolicy/, + /AWS::OpenSearchServerless::VpcEndpoint/, /AWS::OpsWorks::App/, /AWS::OpsWorks::ElasticLoadBalancerAttachment/, /AWS::OpsWorks::Instance/, /AWS::OpsWorks::UserProfile/, /AWS::OpsWorks::Volume/, + /AWS::Organizations::Organization/, + /AWS::PCAConnectorAD::ServicePrincipalName/, + /AWS::PCAConnectorAD::TemplateGroupAccessControlEntry/, + /AWS::Panorama::PackageVersion/, + /AWS::PaymentCryptography::Alias/, /AWS::Personalize::Dataset/, /AWS::Personalize::DatasetGroup/, /AWS::Personalize::Schema/, /AWS::Personalize::Solution/, + /AWS::Pinpoint::ADMChannel/, + /AWS::Pinpoint::APNSChannel/, + /AWS::Pinpoint::APNSSandboxChannel/, + /AWS::Pinpoint::APNSVoipChannel/, + /AWS::Pinpoint::APNSVoipSandboxChannel/, + /AWS::Pinpoint::ApplicationSettings/, + /AWS::Pinpoint::BaiduChannel/, + /AWS::Pinpoint::EmailChannel/, + /AWS::Pinpoint::EventStream/, + /AWS::Pinpoint::GCMChannel/, + /AWS::Pinpoint::SMSChannel/, + /AWS::Pinpoint::VoiceChannel/, + /AWS::PinpointEmail::ConfigurationSetEventDestination/, + /AWS::QuickSight::RefreshSchedule/, + /AWS::QuickSight::Topic/, /AWS::RDS::DBProxyTargetGroup/, /AWS::RDS::DBSecurityGroupIngress/, - /AWS::RDS::GlobalCluster/, /AWS::Redshift::ClusterSecurityGroupIngress/, /AWS::Redshift::EndpointAccess/, /AWS::Redshift::EndpointAuthorization/, /AWS::Redshift::ScheduledAction/, /AWS::Rekognition::Project/, + /AWS::ResourceExplorer2::DefaultViewAssociation/, /AWS::RoboMaker::RobotApplicationVersion/, /AWS::RoboMaker::SimulationApplicationVersion/, /AWS::Route53::CidrCollection/, @@ -343,6 +427,8 @@ let excluded_resources = [ /AWS::Route53::KeySigningKey/, /AWS::Route53::RecordSet/, /AWS::Route53::RecordSetGroup/, + /AWS::Route53Profiles::ProfileResourceAssociation/, + /AWS::Route53RecoveryControl::RoutingControl/, /AWS::Route53Resolver::ResolverConfig/, /AWS::Route53Resolver::ResolverDNSSECConfig/, /AWS::Route53Resolver::ResolverQueryLoggingConfig/, @@ -352,6 +438,8 @@ let excluded_resources = [ /AWS::S3::BucketPolicy/, /AWS::S3::MultiRegionAccessPoint/, /AWS::S3::MultiRegionAccessPointPolicy/, + /AWS::S3Express::BucketPolicy/, + /AWS::S3Express::DirectoryBucket/, /AWS::S3ObjectLambda::AccessPoint/, /AWS::S3ObjectLambda::AccessPointPolicy/, /AWS::S3Outposts::AccessPoint/, @@ -362,24 +450,44 @@ let excluded_resources = [ /AWS::SES::ConfigurationSetEventDestination/, /AWS::SES::DedicatedIpPool/, /AWS::SES::EmailIdentity/, + /AWS::SES::ReceiptFilter/, + /AWS::SES::ReceiptRule/, + /AWS::SES::ReceiptRuleSet/, /AWS::SES::Template/, + /AWS::SES::VdmAttributes/, /AWS::SNS::Subscription/, + /AWS::SNS::TopicInlinePolicy/, /AWS::SNS::TopicPolicy/, + /AWS::SQS::QueueInlinePolicy/, /AWS::SQS::QueuePolicy/, /AWS::SSM::Association/, /AWS::SSM::MaintenanceWindowTarget/, /AWS::SSM::MaintenanceWindowTask/, /AWS::SSM::ResourceDataSync/, + /AWS::SSM::ResourcePolicy/, /AWS::SSMContacts::Contact/, /AWS::SSMContacts::ContactChannel/, - /AWS::SSMIncidents::ReplicationSet/, + /AWS::SSMContacts::Plan/, + /AWS::SSMGuiConnect::Preferences/, + /AWS::SSO::ApplicationAssignment/, /AWS::SSO::Assignment/, /AWS::SSO::InstanceAccessControlAttributeConfiguration/, /AWS::SageMaker::ImageVersion/, /AWS::SageMaker::NotebookInstanceLifecycleConfig/, + /AWS::Scheduler::Schedule/, /AWS::SecretsManager::ResourcePolicy/, /AWS::SecretsManager::RotationSchedule/, /AWS::SecretsManager::SecretTargetAttachment/, + /AWS::SecurityHub::DelegatedAdmin/, + /AWS::SecurityHub::FindingAggregator/, + /AWS::SecurityHub::Insight/, + /AWS::SecurityHub::OrganizationConfiguration/, + /AWS::SecurityHub::PolicyAssociation/, + /AWS::SecurityHub::ProductSubscription/, + /AWS::SecurityHub::SecurityControl/, + /AWS::SecurityHub::Standard/, + /AWS::SecurityLake::AwsLogSource/, + /AWS::SecurityLake::SubscriberNotification/, /AWS::ServiceCatalog::AcceptedPortfolioShare/, /AWS::ServiceCatalog::LaunchNotificationConstraint/, /AWS::ServiceCatalog::LaunchRoleConstraint/, @@ -396,7 +504,21 @@ let excluded_resources = [ /AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation/, /AWS::ServiceCatalogAppRegistry::ResourceAssociation/, /AWS::ServiceDiscovery::Instance/, + /AWS::Shield::DRTAccess/, + /AWS::Shield::ProactiveEngagement/, /AWS::Signer::ProfilePermission/, + /AWS::SimSpaceWeaver::Simulation/, + /AWS::StepFunctions::StateMachineAlias/, + /AWS::StepFunctions::StateMachineVersion/, + /AWS::SupportApp::AccountAlias/, + /AWS::SupportApp::SlackChannelConfiguration/, + /AWS::SupportApp::SlackWorkspaceConfiguration/, + /AWS::VerifiedPermissions::IdentitySource/, + /AWS::VerifiedPermissions::Policy/, + /AWS::VerifiedPermissions::PolicyStore/, + /AWS::VerifiedPermissions::PolicyTemplate/, + /AWS::VpcLattice::AuthPolicy/, + /AWS::VpcLattice::ResourcePolicy/, /AWS::WAF::ByteMatchSet/, /AWS::WAF::IPSet/, /AWS::WAF::Rule/, @@ -417,6 +539,7 @@ let excluded_resources = [ /AWS::WAFRegional::XssMatchSet/, /AWS::WAFv2::LoggingConfiguration/, /AWS::WAFv2::WebACLAssociation/, + /AWS::XRay::ResourcePolicy/, /Alexa::ASK::Skill/, /AWS::App*/ ] From c450b468aa302907e8d2dcfbfe8aa764e210b478 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 24 Oct 2024 11:08:19 -0700 Subject: [PATCH 6/6] Update dynamodb-table-sse.guard Not ALL resources must have tags, just the DynamoDB Tables. --- guard-examples/encryption/dynamodb-table-sse.guard | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/guard-examples/encryption/dynamodb-table-sse.guard b/guard-examples/encryption/dynamodb-table-sse.guard index 4f1336ef0..d0b11dd72 100644 --- a/guard-examples/encryption/dynamodb-table-sse.guard +++ b/guard-examples/encryption/dynamodb-table-sse.guard @@ -3,9 +3,19 @@ # let ddb = Resources.*[ Type == 'AWS::DynamoDB::Table' ] +# +# Common rule, DDB table resources must have Tags present on them +# +rule assert_ddb_resources_have_non_empty_tags +{ + # + # Ensure ALL DynamoDB Tables have tags + # + %ddb.Properties.Tags !empty +} # # Run this DDB rule when there are DDB table present and -# we PASSED the check that all resources did have tags in them +# we PASSED the check that DDB table resources did have tags in them # # Rule Intent: ALL DDB Table must have encryption at rest turned # on. @@ -16,7 +26,7 @@ let ddb = Resources.*[ Type == 'AWS::DynamoDB::Table' ] # c) FAIL if wasn't set for them # rule dynamo_db_sse_on when %ddb !empty - assert_all_resources_have_non_empty_tags + assert_ddb_resources_have_non_empty_tags { # # Ensure ALL DynamoDB Tables have encryption at rest turned on