0.0.58 • Published 5 months ago

@cdklabs/cdk-validator-cfnguard v0.0.58

Weekly downloads
-
License
Apache-2.0
Repository
github
Last release
5 months ago

CDK CFN Guard Validator Plugin

cdk-constructs: Experimental

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update

your source code when upgrading to a newer version of this package.

Installing

TypeScript/JavaScript

npm install @cdklabs/cdk-validator-cfnguard

Python

pip install cdklabs.cdk-validator-cfnguard

Java

// add this to your pom.xml
<dependency>
    <groupId>io.github.cdklabs</groupId>
    <artifactId>cdk-validator-cfnguard</artifactId>
    <version>0.0.0</version> // replace with version
</dependency>

.NET

dotnet add package Cdklabs.CdkValidatorCfnGuard --version X.X.X

Usage

To use this plugin in your CDK application add it to the CDK App.

new App({
  policyValidationBeta1: [
    new CfnGuardValidator(),
  ],
});

By default the CfnGuardValidator plugin comes with the Control Tower proactive controls enabled. In order to disable these rules you can use the controlTowerRulesEnabled: false property.

new CfnGuardValidator({
  controlTowerRulesEnabled: false,
});

It is also possible to disable individual rules.

new CfnGuardValidator({
  disabledRules: [
    'ct-s3-pr-1',
  ],
});

Additional rules

To provide additional rules to the plugin, provide a list of local file or directory paths.

new CfnGuardValidator({
  rules: [
    'path/to/local-rules-directory',
    'path/to/s3/local-rules/my-rule.guard',
  ],
});

If the path provided is a directory then the directory must only contain guard rule files, and all rules within the directory will be used.

Using the bundled Control Tower proactive controls in CDK

The bundled Control Tower proactive controls use CloudFormation Guard policies that are also used in managed controls from the Control Tower service. You can use these CDK bundled controls without having a Control Tower environment in AWS, but there are many benefits to using the two together.

When you enable Control Tower proactive controls in your Control Tower environment, the controls can stop the deployment of non-compliant resources deployed via CloudFormation. For more information about managed proactive controls and how they work, see the Control Tower documentation.

These CDK bundled controls and managed Control Tower proactive controls are best used together. In this scenario you can configure this validation plugin with the same proactive controls that are active in your Control Tower cloud environment. You can then quickly gain confidence that your CDK application will pass the Control Tower controls by running cdk synth locally or in a pipeline as described above.

Regardless of whether you or your organization use Control Tower, however, you should understand the following things about these bundled controls when run locally using this plugin:

  1. These CloudFormation guard policies accept a limited subset of CloudFormation syntax for the properties they evaluate. For instance, a property called EncryptionEnabled may pass if it is specified with the literal value true, but it may fail if it is specified with a reference to a CloudFormation stack parameter instead. Similarly, if a rule checks for a string value, it may fail for Fn::Join objects. If you discover that a rule can be bypassed with a particular configuration of a resource, please file an issue.
  2. Some rules may check references to other resources, but this reference checking is limited. For instance, a rule may require that an access logging bucket is specified for each S3 bucket. In this case, the rule can check whether you have passed a reference to a bucket in the same template, but it cannot verify that a hardcoded bucket name like "examplebucket" actually refers to a real bucket or a bucket you own.

You can add a layer of security protection by enabling the same proactive controls in your Control Tower cloud environment. There are different considerations for using these controls since they operate in a different way. For more information, see the Control Tower proactive controls documentation.

If you do not yet have a Control Tower environment, see What is AWS Control Tower?.

Bundled Control Tower Rules

IDNameEvaluated Resource Types
CT.ACM.PR.1Require an AWS Private CA certificate to have a single domain nameAWS::CertificateManager::Certificate
CT.APIGATEWAY.PR.1Require an Amazon API Gateway REST and WebSocket API to have logging activatedAWS::ApiGateway::Stage
CT.APIGATEWAY.PR.2Require an Amazon API Gateway REST API stage to have AWS X-Ray tracing activatedAWS::ApiGateway::Stage
CT.APIGATEWAY.PR.3Require that an Amazon API Gateway REST API stage has encryption at rest configured for cache dataAWS::ApiGateway::Stage
CT.APIGATEWAY.PR.4Require an Amazon API Gateway V2 stage to have access logging activatedAWS::ApiGatewayV2::Stage
CT.APIGATEWAY.PR.5Require Amazon API Gateway V2 Websocket and HTTP routes to specify an authorization typeAWS::ApiGatewayV2::RouteAWS::ApiGatewayV2::ApiGatewayManagedOverrides
CT.APIGATEWAY.PR.6Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2AWS::ApiGateway::DomainName
CT.APPSYNC.PR.1Require an AWS AppSync GraphQL API to have logging enabledAWS::AppSync::GraphQLApi
CT.APPSYNC.PR.2Require an AWS AppSync GraphQL API to be configured with private visibilityAWS::AppSync::GraphQLApi
CT.APPSYNC.PR.3Require that an AWS AppSync GraphQL API is not authenticated with API keysAWS::AppSync::GraphQLApi
CT.APPSYNC.PR.4Require an AWS AppSync GraphQL API cache to have encryption in transit enabled.AWS::AppSync::ApiCache
CT.APPSYNC.PR.5Require an AWS AppSync GraphQL API cache to have encryption at rest enabled.AWS::AppSync::ApiCache
CT.ATHENA.PR.1Require an Amazon Athena workgroup to encrypt Athena query results at restAWS::Athena::WorkGroup
CT.ATHENA.PR.2Require an Amazon Athena workgroup to encrypt Athena query results at rest with an AWS Key Management Service (KMS) keyAWS::Athena::WorkGroup
CT.AUTOSCALING.PR.1Require an Amazon EC2 Auto Scaling group to have multiple Availability ZonesAWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.2Require an Amazon EC2 Auto Scaling group launch configuration to configure Amazon EC2 instances for IMDSv2AWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.3Require an Amazon EC2 Auto Scaling launch configuration to have a single-hop metadata response limitAWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.4Require an Amazon EC2 Auto Scaling group associated with an AWS Elastic Load Balancer (ELB) to have ELB health checks activatedAWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.5Require that an Amazon EC2 Auto Scaling group launch configuration does not have Amazon EC2 instances with public IP addressesAWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.6Require any Amazon EC2 Auto Scaling groups to use multiple instance typesAWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.8Require an Amazon EC2 Auto Scaling group to have EC2 launch templates configuredAWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.9Require an Amazon EBS volume configured through an Amazon EC2 Auto Scaling launch configuration to encrypt data at restAWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.10Require an Amazon EC2 Auto Scaling group to use only AWS Nitro instance types when overriding a launch templateAWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.11Require only AWS Nitro instance types that support network traffic encryption between instances to be added to an Amazon EC2 Auto Scaling group, when overriding a launch templateAWS::AutoScaling::AutoScalingGroup
CT.CLOUDFRONT.PR.1Require an Amazon CloudFront distribution to have a default root object configuredAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.3Require an Amazon CloudFront distribution to have encryption in transit configuredAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.4Require an Amazon CloudFront distribution to have origin failover configuredAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.5Require any Amazon CloudFront distribution to have logging enabledAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.6Require an Amazon CloudFront distribution to use custom SSL/TLS certificatesAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.7Require an Amazon CloudFront distribution to use SNI to serve HTTPS requestsAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.8Require an Amazon CloudFront distribution to encrypt traffic to custom originsAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.9Require an Amazon CloudFront distribution to have a security policy of TLSv1.2 as a minimumAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.10Require any Amazon CloudFront distributions with Amazon S3 backed origins to have origin access control configuredAWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.11Require an Amazon CloudFront distribution to use updated SSL protocols between edge locations and custom originsAWS::CloudFront::Distribution
CT.CLOUDTRAIL.PR.1Require an AWS CloudTrail trail to have encryption at rest activatedAWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.2Require an AWS CloudTrail trail to have log file validation activatedAWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.3Require an AWS CloudTrail trail to have an Amazon CloudWatch log group configurationAWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.4Require an AWS CloudTrail Lake event data store to enable encryption at rest with an AWS KMS keyAWS::CloudTrail::EventDataStore
CT.CLOUDWATCH.PR.1Require an Amazon CloudWatch alarm to have an action configured for the alarm stateAWS::CloudWatch::Alarm
CT.CLOUDWATCH.PR.2Require an Amazon CloudWatch log group to be retained for at least one yearAWS::Logs::LogGroup
CT.CLOUDWATCH.PR.3Require an Amazon CloudWatch log group to be encrypted at rest with an AWS KMS keyAWS::Logs::LogGroup
CT.CLOUDWATCH.PR.4Require an Amazon CloudWatch alarm to have actions activatedAWS::CloudWatch::Alarm
CT.CODEBUILD.PR.1Require OAuth on GitHub or Bitbucket source repository URLs for AWS CodeBuild projectsAWS::CodeBuild::Project
CT.CODEBUILD.PR.2Require any AWS CodeBuild project environment variable to encrypt credentials in environment variablesAWS::CodeBuild::Project
CT.CODEBUILD.PR.3Require any AWS CodeBuild project environment to have logging configuredAWS::CodeBuild::Project
CT.CODEBUILD.PR.4Require any AWS CodeBuild project to deactivate privileged mode when runningAWS::CodeBuild::Project
CT.CODEBUILD.PR.5Require encryption on all AWS CodeBuild project artifactsAWS::CodeBuild::Project
CT.CODEBUILD.PR.6Require encryption on all Amazon S3 logs for AWS CodeBuild projectsAWS::CodeBuild::Project
CT.DAX.PR.1Require encryption at rest for all Amazon DynamoDB Accelerator (DAX) clustersAWS::DAX::Cluster
CT.DAX.PR.2Require an Amazon DAX cluster to deploy nodes to at least three Availability ZonesAWS::DAX::Cluster
CT.DAX.PR.3Require an Amazon DAX cluster to encrypt data in transit with Transport Layer Security (TLS)AWS::DAX::Cluster
CT.DMS.PR.1Require that a public AWS DMS replication instance is not publicAWS::DMS::ReplicationInstance
CT.DMS.PR.2Require an AWS Database Migration Service (DMS) Endpoint to encrypt connections for source and target endpointsAWS::DMS::Endpoint
CT.DOCUMENTDB.PR.1Require an Amazon DocumentDB cluster to be encrypted at restAWS::DocDB::DBCluster
CT.DOCUMENTDB.PR.2Require an Amazon DocumentDB cluster to have a backup retention period greater than or equal to seven daysAWS::DocDB::DBCluster
CT.DYNAMODB.PR.1Require that point-in-time recovery for an Amazon DynamoDB table is activatedAWS::DynamoDB::Table
CT.DYNAMODB.PR.2Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS keyAWS::DynamoDB::Table
CT.EC2.PR.1Require an Amazon EC2 launch template to have IMDSv2 configuredAWS::EC2::LaunchTemplate
CT.EC2.PR.2Require that Amazon EC2 launch templates restrict the token hop limit to a maximum of oneAWS::EC2::LaunchTemplate
CT.EC2.PR.3Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443AWS::EC2::SecurityGroupAWS::EC2::SecurityGroupIngress
CT.EC2.PR.4Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for specific high-risk portsAWS::EC2::SecurityGroupAWS::EC2::SecurityGroupIngress
CT.EC2.PR.5Require any Amazon EC2 network ACL to prevent ingress from 0.0.0.0/0 to port 22 or port 3389AWS::EC2::NetworkAclEntry
CT.EC2.PR.6Require that Amazon EC2 transit gateways refuse automatic Amazon VPC attachment requestsAWS::EC2::TransitGateway
CT.EC2.PR.7Require an Amazon EBS volume resource to be encrypted at rest when defined by means of the AWS::EC2::Instance BlockDeviceMappings property or AWS::EC2::Volume resource typeAWS::EC2::InstanceAWS::EC2::Volume
CT.EC2.PR.8Require an Amazon EC2 instance to set AssociatePublicIpAddress to false on a new network interface created by means of the NetworkInterfaces property in the AWS::EC2::Instance resourceAWS::EC2::Instance
CT.EC2.PR.9Require any Amazon EC2 launch template not to auto-assign public IP addresses to network interfacesAWS::EC2::LaunchTemplate
CT.EC2.PR.10Require Amazon EC2 launch templates to have Amazon CloudWatch detailed monitoring activatedAWS::EC2::LaunchTemplate
CT.EC2.PR.11Require that an Amazon EC2 subnet does not automatically assign public IP addressesAWS::EC2::Subnet
CT.EC2.PR.12Require an Amazon EC2 instance to specify at most one network interface by means of the NetworkInterfaces property in the AWS::EC2::Instance resourceAWS::EC2::Instance
CT.EC2.PR.13Require an Amazon EC2 instance to have detailed monitoring enabledAWS::EC2::Instance
CT.EC2.PR.14Require an Amazon EBS volume configured through an Amazon EC2 launch template to encrypt data at restAWS::EC2::LaunchTemplate
CT.EC2.PR.15Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the 'AWS::EC2::LaunchTemplate' resource typeAWS::EC2::LaunchTemplate
CT.EC2.PR.16Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the 'AWS::EC2::Instance' resource typeAWS::EC2::Instance
CT.EC2.PR.17Require an Amazon EC2 dedicated host to use an AWS Nitro instance typeAWS::EC2::Host
CT.EC2.PR.18Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance typesAWS::EC2::EC2Fleet
CT.EC2.PR.19Require an EC2 instance to use an AWS Nitro instance type that supports encryption in-transit between instances when created using the AWS::EC2::Instance resource typeAWS::EC2::Instance
CT.EC2.PR.20Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types that support encryption in transit between instancesAWS::EC2::EC2Fleet
CT.ECR.PR.1Require Amazon ECR repositories to have a lifecycle policy configuredAWS::ECR::Repository
CT.ECR.PR.2Require Amazon ECR private repositories to have image scanning enabledAWS::ECR::Repository
CT.ECR.PR.3Require Amazon ECR private repositories to have tag immutability enabledAWS::ECR::Repository
CT.ECS.PR.1Require AWS ECS Fargate Services to run on the latest Fargate platform versionAWS::ECS::Service
CT.ECS.PR.2Require any Amazon ECS cluster to have container insights activatedAWS::ECS::Cluster
CT.ECS.PR.3Require any Amazon ECS task definition to specify a user that is not the rootAWS::ECS::TaskDefinition
CT.ECS.PR.4Require Amazon ECS tasks to use 'awsvpc' networking modeAWS::ECS::TaskDefinition
CT.ECS.PR.5Require an active Amazon ECS task definition to have a logging configurationAWS::ECS::TaskDefinition
CT.ECS.PR.6Require Amazon ECS containers to allow read-only access to the root filesystemAWS::ECS::TaskDefinition
CT.ECS.PR.7Require an Amazon ECS task definition to have a specific memory usage limitAWS::ECS::TaskDefinition
CT.ECS.PR.8Require Amazon ECS task definitions to have secure networking modes and user definitionsAWS::ECS::TaskDefinition
CT.ECS.PR.9Require Amazon ECS services not to assign public IP addresses automaticallyAWS::ECS::Service
CT.ECS.PR.10Require that Amazon ECS task definitions do not share the host's process namespaceAWS::ECS::TaskDefinition
CT.ECS.PR.11Require an Amazon ECS container to run as non-privilegedAWS::ECS::TaskDefinition
CT.ECS.PR.12Require that Amazon ECS task definitions do not pass secrets as container environment variablesAWS::ECS::TaskDefinition
CT.EKS.PR.1Require an Amazon EKS cluster to be configured with public access disabled to the cluster Kubernetes API server endpoint.AWS::EKS::Cluster
CT.EKS.PR.2Require an Amazon EKS cluster to be configured with secret encryption using AWS Key Management Service (KMS) keysAWS::EKS::Cluster
CT.ELASTICACHE.PR.1Require an Amazon ElastiCache for Redis cluster to have automatic backups activatedAWS::ElastiCache::CacheCluster
CT.ELASTICACHE.PR.2Require an Amazon ElastiCache for Redis cluster to have automatic minor version upgrades activatedAWS::ElastiCache::CacheCluster
CT.ELASTICACHE.PR.3Require an Amazon ElastiCache for Redis replication group to have automatic failover activatedAWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.4Require an Amazon ElastiCache replication group to have encryption at rest activatedAWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.5Require an Amazon ElastiCache for Redis replication group to have encryption in transit activatedAWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.6Require an Amazon ElastiCache cache cluster to use a custom subnet groupAWS::ElastiCache::CacheCluster
CT.ELASTICACHE.PR.7Require an Amazon ElastiCache replication group of earlier Redis versions to have Redis AUTH activatedAWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.8Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activatedAWS::ElastiCache::ReplicationGroup
CT.ELASTICBEANSTALK.PR.1Require AWS Elastic Beanstalk environments to have enhanced health reporting enabledAWS::ElasticBeanstalk::EnvironmentAWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICBEANSTALK.PR.2Require an AWS Elastic Beanstalk environment to have managed platform updates configuredAWS::ElasticBeanstalk::EnvironmentAWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICBEANSTALK.PR.3Require an AWS Elastic Beanstalk environment to have a logging configurationAWS::ElasticBeanstalk::EnvironmentAWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICFILESYSYSTEM.PR.1Require an Amazon EFS file system to encrypt file data at rest using AWS KMSAWS::EFS::FileSystem
CT.ELASTICFILESYSYSTEM.PR.2Require an Amazon EFS volume to have an automated backup planAWS::EFS::FileSystem
CT.ELASTICFILESYSYSTEM.PR.3Require Amazon EFS access points to have a root directoryAWS::EFS::AccessPoint
CT.ELASTICFILESYSYSTEM.PR.4Require Amazon EFS access points to enforce a user identityAWS::EFS::AccessPoint
CT.ELASTICLOADBALANCING.PR.1Require any application load balancer listener default actions to redirect all HTTP requests to HTTPSAWS::ElasticLoadBalancingV2::Listener
CT.ELASTICLOADBALANCING.PR.2Require any Amazon ELB application or network load balancer to have an AWS Certificate Manager certificateAWS::ElasticLoadBalancingV2::ListenerAWS::ElasticLoadBalancingV2::ListenerCertificate
CT.ELASTICLOADBALANCING.PR.3Require any application load balancer to have defensive or strictest desync mitigation mode activatedAWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.4Require that any application load balancer must be configured to drop HTTP headersAWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.5Require that application load balancer deletion protection is activatedAWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.6Require that application and network load balancer access logging is activatedAWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.7Require any classic load balancer to have multiple Availability Zones configuredAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.8Require any classic load balancer SSL/HTTPS listener to have a certificate provided by AWS Certificate ManagerAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.9Require that an AWS ELB application or classic load balancer listener is configured with HTTPS or TLS terminationAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.10Require an ELB application or classic load balancer to have logging activatedAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.11Require any ELB classic load balancer to have connection draining activatedAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.12Require any ELB classic load balancer SSL/HTTPS listener to have a predefined security policy with a strong configurationAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.13Require any ELB classic load balancer to have cross-zone load balancing activatedAWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.14Require a Network Load Balancer to have cross-zone load balancing activatedAWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.15Require that an Elastic Load Balancing v2 target group does not explicitly disable cross-zone load balancingAWS::ElasticLoadBalancingV2::TargetGroup
CT.EMR.PR.1Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3AWS::EMR::SecurityConfiguration
CT.EMR.PR.2Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS keyAWS::EMR::SecurityConfiguration
CT.EMR.PR.3Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS keyAWS::EMR::SecurityConfiguration
CT.EMR.PR.4Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transitAWS::EMR::SecurityConfiguration
CT.GLUE.PR.1Require an AWS Glue job to have an associated security configurationAWS::Glue::Job
CT.GUARDDUTY.PR.1Require an Amazon GuardDuty detector to have Amazon S3 protection activatedAWS::GuardDuty::Detector
CT.IAM.PR.1Require that an AWS Identity and Access Management (IAM) inline policy does not have a statement that includes "*" in the Action and Resource elementsAWS::IAM::PolicyAWS::IAM::RoleAWS::IAM::UserAWS::IAM::Group
CT.IAM.PR.2Require that AWS Identity and Access Management (IAM) customer-managed policies do not contain a statement that includes "*" in the Action and Resource elementsAWS::IAM::ManagedPolicy
CT.IAM.PR.3Require that AWS Identity and Access Management (IAM) customer-managed policies do not have wildcard service actionsAWS::IAM::ManagedPolicy
CT.IAM.PR.4Require that an AWS Identity and Access Management (IAM) user does not have an inline or managed policy attached attachedAWS::IAM::UserAWS::IAM::PolicyAWS::IAM::ManagedPolicy

| CT.IAM.PR.5(https://docs.aws.amazon.com/controltower

cdkpolicy as codevalidator
@everything-registry/sub-chunk-160
0.0.58

5 months ago

0.0.47

11 months ago

0.0.51

10 months ago

0.0.52

10 months ago

0.0.53

9 months ago

0.0.54

9 months ago

0.0.55

6 months ago

0.0.56

6 months ago

0.0.57

6 months ago

0.0.50

10 months ago

0.0.48

10 months ago

0.0.49

10 months ago

0.0.40

11 months ago

0.0.41

11 months ago

0.0.42

11 months ago

0.0.43

11 months ago

0.0.44

11 months ago

0.0.45

11 months ago

0.0.46

11 months ago

0.0.37

11 months ago

0.0.38

11 months ago

0.0.39

11 months ago

0.0.36

11 months ago

0.0.25

1 year ago

0.0.30

1 year ago

0.0.31

1 year ago

0.0.32

1 year ago

0.0.33

12 months ago

0.0.34

12 months ago

0.0.35

12 months ago

0.0.26

1 year ago

0.0.27

1 year ago

0.0.28

1 year ago

0.0.29

1 year ago

0.0.20

1 year ago

0.0.21

1 year ago

0.0.22

1 year ago

0.0.23

1 year ago

0.0.24

1 year ago

0.0.17

1 year ago

0.0.18

1 year ago

0.0.19

1 year ago

0.0.16

1 year ago

0.0.15

1 year ago

0.0.14

1 year ago

0.0.13

1 year ago

0.0.12

1 year ago

0.0.11

1 year ago

0.0.10

1 year ago

0.0.9

1 year ago

0.0.8

1 year ago

0.0.7

1 year ago

0.0.6

1 year ago

0.0.5

1 year ago

0.0.4

1 year ago

0.0.3

1 year ago

0.0.2

1 year ago