Pulumi CrossGuard policies for AWS (Preview)

NOTE: This library is part of Pulumi's Policy as Code offering. It is currently being previewed and is subject to breaking changes. We've included an initial set of policies for AWS and are in the process of adding many more.

Overview

AWSGuard codifies best practices for AWS. This is a configurable library that you can use to enforce these best practices for your own Pulumi stacks or organization.

For more information on Pulumi's Policy as Code solution, visit our docs.

Trying AWSGuard

In this guide, we'll show you how to create a Policy Pack that configures and uses the policies available in AWSGuard.

Prerequisites

Verify your version of the Pulumi CLI

pulumi version

Authoring a Policy Pack that uses AWSGuard policies

To use AWSGuard policies, you must create a Policy Pack that references the @pulumi/awsguard npm package and in the implementation of the Policy Pack, create a new instance of the AwsGuard class.

Create a directory for your new Policy Pack, and change into it. mkdir awsguard && cd awsguard Run the pulumi policy new command. pulumi policy new awsguard-typescript Tweak the code in the index.ts file as desired. The default implementation provided by the awsguard-typescript template simply creates a new instance of AwsGuard with all policies set to have an enforcement level of advisory. new AwsGuard({ all: "advisory" }); From here, you can change the enforcement level for all policies or configure individual policies. For example: To make all policies mandatory rather than advisory: new AwsGuard({ all: "mandatory" }); To make all policies mandatory, but change certain policies to be advisory: new AwsGuard({ all: "mandatory" , ec2InstanceNoPublicIP: "advisory" , elbAccessLoggingEnabled: "advisory" , }); To disable a particular policy: new AwsGuard({ ec2InstanceNoPublicIP: "disabled" , }); To disable all policies except ones explicitly enabled: new AwsGuard({ all: "disabled" , ec2InstanceNoPublicIP: "mandatory" , elbAccessLoggingEnabled: "mandatory" , }); To specify additional configuration for policies that support it: new AwsGuard({ ec2VolumeInUse: { checkDeletion: false }, encryptedVolumes: { enforcementLevel: "mandatory" , kmsId: "id" }, redshiftClusterMaintenanceSettings: { preferredMaintenanceWindow: "Mon:09:30-Mon:10:00" }, acmCertificateExpiration: { maxDaysUntilExpiration: 10 }, });

Test the new Policy Pack

Policy Packs can be tested on a user's local workstation to facilitate rapid development and testing of policies.