Pre-written Sentinel Policies for AWS CIS Foundations Benchmarking

Pre-written Sentinel policies are ready to use compliance checks for CIS AWS Foundations Benchmarking v1.2, v1.4 and v3.0 to help enable your AWS resources meet industry security standards.

At HashiCorp, we’re committed to making policy management easier for our customers. We understand that developing policies from scratch can be time-consuming and resource-intensive. To address this, we’re introducing our Prewritten Policy Libraries—expertly crafted, ready-to-use policies designed to streamline your compliance processes and enhance security across your infrastructure.

This repository contains several policies designed to accelerate the adoption of the CIS AWS Foundations Benchmark within HCP Terraform. These policies can be utilized to enforce best practices and security standards across your AWS environment.

For more details on how to work with these policies and to understand the Sentinel language and framework, please refer to the Sentinel documentation or the README documentation included with each of the policy libraries.

Feedback

We aim to validate the effectiveness of our policies by collecting diverse user feedback and understanding real-world use cases. This input will help refine our policies and enhance their overall impact.

1. You can submit your feedback via a public survey.

2. If you have any issues or enhancement suggestions to the library, please create a new GitHub issue.

3. Alternatively, we welcome any contributions that improve the impact of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.

Policies Included

• CloudTrail S3 Bucket should have access logging enabled (docs | code)
• CloudTrail CloudWatch Logs Group ARN is set (docs | code)
• CloudTrail Log File Validation is enabled (docs | code)
• CloudTrail S3 Bucket should not be public (docs | code)
• CloudTrail should have encryption at-rest enabled (docs | code)
• S3 general purpose buckets should have block public access settings enabled(docs | code)
• S3 general purpose buckets should have block public access settings enabled at a bucket level (docs | code)
• Ensure that Object-level logging for read events is enabled for S3 buckets (docs | code)
• Ensure that Object-level logging for write events is enabled for S3 buckets (docs | code)
• S3 general purpose buckets should have MFA delete enabled (docs | code)
• S3 general purpose buckets should require ssl for all requests (docs | code)
• Ensure VPC flow logging is enabled in all VPCs (docs | code)
• AWS EBS volumes are encrypted (docs | code)
• Ensure that EC2 Metadata Service only allows IMDSv2 (docs | code)
• AWS EC2 Network Acls should not allow ingress traffic from 0.0.0.0/0 or ::/0 to ports 22 or 3389 (docs | code)
• AWS Security Group should not allow ingress traffic from 0.0.0.0/0 or ::/0 to port 22 (docs | code)
• AWS Security Group should not allow ingress traffic from 0.0.0.0/0 or ::/0 to port 3389 (docs | code)
• AWS Security Group should not allow ingress traffic from 0.0.0.0/0 to port 22 and 3389 (docs | code)
• AWS Security Group should not allow ingress traffic from ::/0 to port 22 and 3389 (docs | code)
• EC2 VPC Default Security Group No Traffic (docs | code)
• EC2 VPC Flow Logging Enabled (docs | code)
• IAM policies should not allow full "*" administrative privileges (docs | code)
• IAM users should not have IAM policies attached (docs | code)
• AWS IAM Password Policy should expire passwords within 90 days or less (docs | code)
• AWS IAM Password Policy requires minimum password length of 14 or greater (docs | code)
• AWS IAM Password Policy requires at least one lowercase letter (docs | code)
• AWS IAM Password Policy requires at least one number (docs | code)
• AWS IAM Password Policy prevents password reuse (docs | code)
• AWS IAM Password Policy requires at least one symbol (docs | code)
• AWS IAM Password Policy requires at least one uppercase letter (docs | code)
• Ensure that encryption is enabled for EFS file systems (docs | code)
• AWS KMS key rotation should be enabled (docs | code)
• Ensure that encryption-at-rest is enabled for RDS Instances (docs | code)
• Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances (docs | code)
• Ensure that public access is not given to RDS Instance (docs | code)

Getting Started

This getting started guide assumes that:

1. You are familiar with core workflows in HCP Terraform and Terraform Enterprise, and you have an existing workspace configured with AWS access credentials.

   Tip: If you do not have these prerequisites, please refer to the Use VCS-Driven Workflow and Create a Variable Set tutorials for guidance.

2. You have a user account that is part of the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.

3. Ensure you are using HCP Terraform or Terraform Enterprise v202312-1 or a later version.

4. You are using Sentinel version 0.26.x and later version.

By default, the module will enable all policies within the library, and they will be enforced by the HCP Platform with the enforcement_level set to advisory only.

Example:

policy "iam-password-expiry" {
  source = "./policies/iam/iam-password-expiry.sentinel"
  enforcement_level = "advisory"
  params = {
    password_expiry_days = 90
  }
}

If you want to enable only a subset of the policies or change the enforcement levels to either soft-mandatory or hard-mandatory, we recommend updating the contents of the sentinel.hcl file in each library before applying the Terraform configuration.

Important: The policies in each library are opinionated and depend on several Sentinel modules. To learn more about modules, please refer to the Sentinel module documentation.

To learn more about how to configure a policy set as a policy evaluation, please review the Terraform Enterprise provider documentation.

Consuming Pre-Written Sentinel Policies for CIS AWS Foundations Benchmark

Following methods outlines various ways to consume and implement pre-written Sentinel policies for the CIS AWS Foundations Benchmark. These policies can be used in both Terraform Enterprise (TFE) and Terraform Cloud (TFC) environments. Below are the recommended methods for integrating these policies into your workflows.

Terraform Registry Method:

• Navigate to the Terraform Registry and select the desired Sentinel policy.
• Copy the provided policy snippet from the registry.
• Create a GitHub repository (or use an existing one) to store your policies.
• Add a Sentinel.hcl file to the repository and paste the copied policy snippet(s) into this file.
• Connect the repository to Terraform Cloud or Terraform Enterprise using the VCS (Version Control System) workflow.
• Trigger policy execution automatically during the plan stage in Terraform Cloud or Terraform Enterprise.

Using the Public GitHub Repository:

• Access the public GitHub repository containing the policy library.
• You can directly use the repository as-is or fork it to customize the policies for your specific requirements.
• If forking, ensure you sync your fork with the upstream repository periodically to stay updated with the latest changes.
• Avoid using the default branch for consumption in Terraform Cloud or Terraform Enterprise. Instead, use the release branches for better stability.
• Attach the repository (or your fork) to Terraform Cloud or Terraform Enterprise using the VCS workflow.
• Run a Terraform plan to execute the policies during the post-plan stage.

Terraform Module Approach:

• Use a dedicated Terraform module designed to manage Sentinel policy sets.
• Provide a minimal set of variable inputs (typically four) to configure and attach the policies.
• The module will automatically attach the latest versions of multiple policy sets to their respective workspaces.
• Execute a Terraform plan to verify that the policy sets are applied successfully in Terraform Cloud or Terraform Enterprise.

Notes and Best Practices

• These policies are compatible with both Terraform Cloud (TFC) and Terraform Enterprise (TFE). Ensure your workflow is configured accordingly.
• When using the public GitHub repository, it is recommended to use release branches for stability and avoid consuming policies directly from the default branch.
• Regularly update your policies to align with the latest CIS AWS Foundations Benchmark standards and Terraform best practices.
• Customize policies as needed to meet your organization's specific compliance and security requirements.

Resources

• Get Started - HCP Terraform
• Connecting VCS Providers to HCP Terraform
• Policy Enforcement
• Managing Policy Sets
• Introduction to Sentinel
• Sentinel Documentation
• Sentinel Language
• Sentinel Language Specification
• Policy Libraries