Comprehensive OPA policies that can be used to establish secure Terraform configuration for Amazon Web Services infrastructure.
-
Access logging should be configured for API Gateway V2 Stages (docs | OPA)
-
Amazon DynamoDB Accelerator Clusters should have encryption in transit enableds (docs | OPA)
-
Amazon DynamoDB Accelerator (DAX) clusters should be encrypted at rest (docs | OPA)
-
Elastic File System should be configured to encrypt data at-rest using AWS KMS (docs | OPA)
-
Firehose delivery streams should be encrypted at rest using AWS KMS (docs | OPA)
-
Step Functions state machines should have logging turned on (docs | OPA)
-
AWS Glue Spark jobs should run on supported versions of AWS Glue (docs | OPA)
-
ECS task sets should not automatically assign public IP addresses (docs | OPA)
-
ECR private repositories should have image scanning configured (docs | OPA)
-
ECR repositories should have at least one lifecycle policy configured (docs | OPA)
-
DMS replication instances should have automatic minor version upgrade enabled (docs | OPA)
-
Amazon MQ brokers should have automatic minor version upgrade enabled (docs | OPA)
-
RDS automatic minor version upgrades should be enabled (docs | OPA)
-
ElastiCache clusters should have automatic minor version upgrades enabled (docs | OPA)
-
Database Migration Service replication instances should not be public (docs | OPA)
-
Amazon Redshift clusters should prohibit public access (docs | OPA)
-
Amazon Redshift should have automatic upgrades to major versions enabled (docs | OPA)
-
Neptune DB clusters should be configured to copy tags to snapshots (docs | OPA)
-
AWS AppSync API caches should be encrypted at rest (docs | OPA)
-
AWS AppSync API caches should be encrypted in transit (docs | OPA)
-
EventBridge custom event buses should have a resource-based policy attached (docs | OPA)
-
OpenSearch domains should encrypt data sent between nodes (docs | OPA)