Home

Awesome

AWS Guard Rules Registry

AWS Guard Rules Registry is an open-source repository of AWS CloudFormation Guard rule files and managed rule sets that help organizations shift left in their Software Development Life Cycle (SDLC) processes.

TL;DR

Leverage the existing AWS Guard Registry Rule Sets currently available:

Contribute to the individual AWS Guard Registry Rules:

Create and contribute your own open source AWS Guard Rules Registry custom rule set:

About

AWS Guard Rules Registry is an open-source repository of rule files and managed rule sets for AWS CloudFormation Guard. The intent of the registry is to give users Guard rules that provide policy as code solutions which complement the AWS Config Managed Rules as well as your Guard rules. Many of the Guard rules supported by AWS are best-effort Guard rule implementations of AWS Config Managed Rules.

Note: Not all AWS Config Managed Rules are present in the AWS Guard Rules Registry. Some of the AWS Config Managed Rules are detective only in nature and are not able to be expressed in infrastructure as code relevant to development practices.

The Guard Rules Registry offers the following value:

Registry Rules Files

One of the intents of AWS Guard Rules Registry is to create modular single file Guard rule files that can be mapped into multiple managed rule sets similar to how AWS Config Conformance Packs work with AWS Config Managed Rules. The AWS Guard Rules Registry contains individual guard rule files associated to a single rule. The rules directory contains multiple sub-directories based on different technologies, providers, and services.

```
rules
├── aws
│   └── apigateway
│   │   ├── apigw_method_auth_type_is_not_none.guard
│   │   └── tests
│   │       └── apigw_method_auth_type_is_not_none_tests.yml
│   └── dynamodb
│       ├── dynamodb_pitr_enabled.guard
│       └── tests
│           └── dynamodb_pitr_is_enabled_tests.yml
├── kubernetes
└── terraform
```

Many of the Guard rules are supported by AWS and correspond or complement associated AWS Config Managed Rules. These rules can be identified by the all-uppercase naming convention which is identical to the AWS Config Managed Rule identifier.

Note: Guard rule names that are in all uppercase are intentionally set this way. The names reflects the AWS Config Managed rule identifier the guard rule is satisfying.

Within each directory that contains Guard rules, there is a tests sub-directory contains unit tests for some of the corner cases we expect Guard rule to PASS/FAIL/SKIP. The test sub-directory contains the corresponding test file for the Guard rule with the suffix _tests and can have the extension of .yml or .json. To learn more, see Guard Rules Dev Guide for more detail on how to create unit tests for your guard rule.

Managed Rule Sets

AWS Guard Rules registry contains prebuilt managed rule sets compiled from rule mapping files found in the mappings directory. The following managed Rule Sets are available for use:

Managed Rule SetRules Set NameMapping File
ABS Cloud Computing Implementation Guide 2.0 - Material WorkloadsABS-CCIGv2-MaterialLink
ABS Cloud Computing Implementation Guide 2.0 - Standard WorkloadsABS-CCIGv2-StandardLink
Australian Cyber Security Centre (ACSC) Essential Eight Maturity Modelacsc-essential-8Link
Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) 2020-06acsc-ismLink
Australian Prudential Regulation Authority (APRA) CPG 234apra-cpg-234Link
Bank Negara Malaysia (BNM) Risk Management in Technology (RMiT)bnm-rmitLink
Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level 1cis-aws-benchmark-level-1Link
Center for Internet Security (CIS) Amazon Web Services Foundation v1.4 Level2cis-aws-benchmark-level-2Link
Center for Internet Security (CIS) Critical Security Controls v8 IG1cis-critical-security-controls-v8-ig1Link
Center for Internet Security (CIS) Critical Security Controls v8 IG2cis-critical-security-controls-v8-ig2Link
Center for Internet Security (CIS) Critical Security Controls v8 IG3cis-critical-security-controls-v8-ig3Link
Center for Internet Security (CIS) Top 20 Critical Security Controlscis-top-20Link
Cybersecurity & Infrastructure Security Agency (CISA) Cyber Essentials (CE)cisa-ceLink
Cybersecurity Maturity Model Certification (CMMC) Level 1cmmc-level-1Link
Cybersecurity Maturity Model Certification (CMMC) Level 2cmmc-level-2Link
Cybersecurity Maturity Model Certification (CMMC) Level 3cmmc-level-3Link
Cybersecurity Maturity Model Certification (CMMC) Level 4cmmc-level-4Link
Cybersecurity Maturity Model Certification (CMMC) Level 5cmmc-level-5Link
European Union Agency for Cybersecurity (ENISA) Cybersecurity guide for SMEsenisa-cybersecurity-guide-for-smesLink
Spain Esquema Nacional de Seguridad (ENS) High framework controlsens-highLink
Spain Esquema Nacional de Seguridad (ENS) Low framework controlsens-lowLink
Spain Esquema Nacional de Seguridad (ENS) Medium framework controlsens-mediumLink
Title 21 of the Code of Federal Regulations (CFR) Part 11FDA-21CFR-Part-11Link
Federal Risk and Authorization Management Program (FedRAMP) Moderatefedramp-moderateLink
Federal Risk and Authorization Management Program (FedRAMP) Lowfedramp-lowLink
Federal Financial Institutions Examination Council (FFIEC) Cyber Security Assessment Tool domainsffiecLink
Health Insurance Portability and Accountability Act (HIPAA)hipaa-securityLink
Korea – Information Security Management System (ISMS)k-ismsLink
Monetary Authority of Singapore (MAS) Notice 655 – Cyber Hygienemas-notice-655Link
Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines (TRMG) January 2021mas-trmgLink
National Bank of Cambodia’s (NBC) Technology Risk Management (TRM) Guidelines frameworknbc-trmgLink
UK National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) controlsncsc-cafv3Link
UK National Cyber Security Centre (NCSC) Cloud Security PrinciplesncscLink
North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP) for BES Cyber System Information (BCSI), CIP-004-7 & CIP-011-3nercLink
NIST 1800-25nist-1800-25Link
NIST 800-171nist-800-171Link
NIST 800-172nist-800-172Link
NIST 800-181nist-800-181Link
NIST 800-53 Revision 4nist800-53rev4Link
NIST 800-53 Revision 5nist800-53rev5Link
NIST Cyber Security Framework (CSF)nist-csfLink
NIST Privacy Frameworknist-privacy-frameworkLink
New Zealand Government Communications Security Bureau (GCSB) Information Security Manual (NZISM)nzismLink
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1PCI-DSS-3-2-1Link
Reserve Bank of India (RBI) Cyber Security Framework for Urban Cooperative Banks (UCBs)rbi-bcsf-ucbLink
Reserve Bank of India (RBI) Master Direction – Information Technology Frameworkrbi-md-itfLink
New York State Department Of Financial Services (NYDFS) cybersecurity requirements for financial services companies (23 NYCRR 500)us-nydfsLink
Amazon Web Services' Well-Architected Framework Reliability Pillarwa-Reliability-PillarLink
AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillarwa-Security-PillarLink

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.