diff --git a/Makefile b/Makefile index 807462d6d0c2..175903aa1202 100644 --- a/Makefile +++ b/Makefile @@ -152,3 +152,8 @@ deploy-dev-stack: .PHONY: destroy-dev-stack destroy-dev-stack: ./scripts/destroy-dev-stack.sh + +.PHONY: generate-compliance-pages +generate-compliance-pages: + node scripts/aws-compliance-scraper/scrape.js + ./scripts/content/generate-compliance-pages.sh diff --git a/content/compliance/_index.md b/content/compliance/_index.md new file mode 100644 index 000000000000..6ca0b2e9958e --- /dev/null +++ b/content/compliance/_index.md @@ -0,0 +1,4 @@ +--- +title: Compliance +meta_desc: Pulumi helps achieve compliance by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- \ No newline at end of file diff --git a/content/compliance/aws-pci dss.md b/content/compliance/aws-pci dss.md new file mode 100644 index 000000000000..b4af958ba3ac --- /dev/null +++ b/content/compliance/aws-pci dss.md @@ -0,0 +1,15 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: "PCI DSS Compliance for AWS" +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws +framework: PCI DSS +service: "AWS" +full: "AWS cloud infrastructure" +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +page_type: cloud +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/content/compliance/pci-dss-aws-api-gateway.md b/content/compliance/pci-dss-aws-api-gateway.md new file mode 100644 index 000000000000..d237a10fc7da --- /dev/null +++ b/content/compliance/pci-dss-aws-api-gateway.md @@ -0,0 +1,16 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: PCI DSS Compliance for AWS API Gateway +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws-api-gateway +framework: PCI DSS +service: API Gateway +full: API Gateway +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +whatis: "Amazon API Gateway is a fully managed service that enables you to create, publish, and manage APIs at any scale. It simplifies building and securing REST, HTTP, and WebSocket APIs, handling tasks like authorization, throttling, and monitoring. API Gateway integrates seamlessly with AWS services, allowing you to connect backend systems, Lambda functions, and other endpoints with ease." +page_type: service +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS API Gateway by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/content/compliance/pci-dss-aws-ec2.md b/content/compliance/pci-dss-aws-ec2.md new file mode 100644 index 000000000000..7071991d792d --- /dev/null +++ b/content/compliance/pci-dss-aws-ec2.md @@ -0,0 +1,16 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: PCI DSS Compliance for AWS EC2 +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws-ec2 +framework: PCI DSS +service: EC2 +full: EC2 resources +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +whatis: "Amazon EC2 (Elastic Compute Cloud) is a web service that provides scalable computing capacity in the cloud, allowing users to run virtual servers on-demand. It offers server instances, storage, and networking options to tailor the infrastructure to specific application needs." +page_type: service +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS EC2 by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/content/compliance/pci-dss-aws-ecs.md b/content/compliance/pci-dss-aws-ecs.md new file mode 100644 index 000000000000..587d35580e26 --- /dev/null +++ b/content/compliance/pci-dss-aws-ecs.md @@ -0,0 +1,16 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: PCI DSS Compliance for AWS ECS +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws-ecs +framework: PCI DSS +service: ECS +full: ECS Cluster +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +whatis: "Amazon ECS (Elastic Container Service) is a fully managed container orchestration service that allows you to run and scale containerized applications in the cloud. It simplifies the deployment and management of containers, handling tasks like load balancing, scaling, and security. ECS integrates seamlessly with other AWS services, making it easy to build and manage resilient, scalable applications." +page_type: service +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS ECS by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/content/compliance/pci-dss-aws-eks.md b/content/compliance/pci-dss-aws-eks.md new file mode 100644 index 000000000000..ae0361885edb --- /dev/null +++ b/content/compliance/pci-dss-aws-eks.md @@ -0,0 +1,16 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: PCI DSS Compliance for AWS EKS +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws-eks +framework: PCI DSS +service: EKS +full: EKS Cluster +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +whatis: "Amazon EKS (Elastic Kubernetes Service) is a fully managed service that simplifies running Kubernetes on AWS, allowing you to deploy, manage, and scale containerized applications. It handles the complexity of Kubernetes operations, including patching, scaling, and managing the control plane. EKS integrates with AWS services, providing a secure and scalable platform for running Kubernetes workloads in the cloud." +page_type: service +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS EKS by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/content/compliance/pci-dss-aws-iam.md b/content/compliance/pci-dss-aws-iam.md new file mode 100644 index 000000000000..8b23042b9809 --- /dev/null +++ b/content/compliance/pci-dss-aws-iam.md @@ -0,0 +1,16 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: PCI DSS Compliance for AWS IAM +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws-iam +framework: PCI DSS +service: IAM +full: IAM Roles and Policies +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +whatis: "AWS IAM (Identity and Access Management) is a service that enables you to securely manage access to AWS resources. It allows you to create and control user permissions, defining who can access specific resources and under what conditions. IAM helps ensure security and compliance by enforcing fine-grained access controls across your AWS environment." +page_type: service +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS IAM by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/content/compliance/pci-dss-aws-rds.md b/content/compliance/pci-dss-aws-rds.md new file mode 100644 index 000000000000..e15ead982322 --- /dev/null +++ b/content/compliance/pci-dss-aws-rds.md @@ -0,0 +1,16 @@ +--- +# This file is auto-generated. Any alterations made within are subject +# to being overwritten. +title: PCI DSS Compliance for AWS RDS +cloud: AWS +layout: "pci-dss" +slug: pci-dss-aws-rds +framework: PCI DSS +service: RDS +full: RDS resources +description: "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." +whatis: "Amazon RDS (Relational Database Service) is a managed service that simplifies setting up, operating, and scaling relational databases in the cloud. It supports multiple database engines and automates tasks like backups, patching, and monitoring." +page_type: service +meta_desc: Pulumi helps achieve PCI DSS compliance for AWS RDS by enforcing security, cost, and compliance requirements. Speak with an expert to get started. +--- + diff --git a/data/compliance/controls.json b/data/compliance/controls.json new file mode 100644 index 000000000000..616880140357 --- /dev/null +++ b/data/compliance/controls.json @@ -0,0 +1,146 @@ +{ + "RDS": [ + "RDS snapshot should be private", + "RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration", + "RDS DB instances should have encryption at-rest enabled", + "RDS cluster snapshots and database snapshots should be encrypted at rest", + "RDS DB instances should be configured with multiple Availability Zones", + "Enhanced monitoring should be configured for RDS DB instances", + "RDS clusters should have deletion protection enabled", + "RDS DB instances should have deletion protection enabled", + "RDS DB instances should publish logs to CloudWatch Logs", + "IAM authentication should be configured for RDS instances", + "RDS instances should have automatic backups enabled", + "IAM authentication should be configured for RDS clusters", + "RDS automatic minor version upgrades should be enabled", + "Amazon Aurora clusters should have backtracking enabled", + "RDS DB clusters should be configured for multiple Availability Zones", + "RDS DB clusters should be configured to copy tags to snapshots", + "RDS DB instances should be configured to copy tags to snapshots", + "RDS instances should be deployed in a VPC", + "Existing RDS event notification subscriptions should be configured for critical cluster events", + "Existing RDS event notification subscriptions should be configured for critical database instance events", + "An RDS event notifications subscription should be configured for critical database parameter group events", + "An RDS event notifications subscription should be configured for critical database security group events", + "RDS instances should not use a database engine default port", + "RDS Database clusters should use a custom administrator username", + "RDS database instances should use a custom administrator username", + "RDS DB instances should be protected by a backup plan", + "RDS DB clusters should be encrypted at rest", + "RDS DB clusters should be tagged", + "RDS DB cluster snapshots should be tagged", + "RDS DB instances should be tagged", + "RDS DB security groups should be tagged", + "RDS DB snapshots should be tagged", + "RDS DB subnet groups should be tagged", + "Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs", + "RDS DB clusters should have automatic minor version upgrade enabled" + ], + "EC2": [ + "Amazon EBS snapshots should not be publicly restorable", + "VPC default security groups should not allow inbound or outbound traffic", + "Attached Amazon EBS volumes should be encrypted at-rest", + "Stopped EC2 instances should be removed after a specified time period", + "VPC flow logging should be enabled in all VPCs", + "EBS default encryption should be enabled", + "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "Amazon EC2 instances should not have a public IPv4 address", + "Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service", + "Unused Amazon EC2 EIPs should be removed", + "Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22", + "Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", + "Amazon EC2 subnets should not automatically assign public IP addresses", + "Unused Network Access Control Lists should be removed", + "Amazon EC2 instances should not use multiple ENIs", + "Security groups should only allow unrestricted incoming traffic for authorized ports", + "Security groups should not allow unrestricted access to ports with high risk", + "Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389", + "Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests", + "Amazon EC2 paravirtual instance types should not be used", + "Amazon EC2 launch templates should not assign public IPs to network interfaces", + "EBS volumes should be covered by a backup plan", + "EC2 transit gateway attachments should be tagged", + "EC2 transit gateway route tables should be tagged", + "EC2 network interfaces should be tagged", + "EC2 customer gateways should be tagged", + "EC2 Elastic IP addresses should be tagged", + "EC2 instances should be tagged", + "EC2 internet gateways should be tagged", + "EC2 NAT gateways should be tagged", + "EC2 network ACLs should be tagged", + "EC2 route tables should be tagged", + "EC2 security groups should be tagged", + "EC2 subnets should be tagged", + "EC2 volumes should be tagged", + "Amazon VPCs should be tagged", + "Amazon VPC endpoint services should be tagged", + "Amazon VPC flow logs should be tagged", + "Amazon VPC peering connections should be tagged", + "EC2 VPN gateways should be tagged", + "EC2 Client VPN endpoints should have client connection logging enabled", + "EC2 transit gateways should be tagged", + "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "EC2 security groups should not allow ingress from ::/0 to remote server administration ports" + ], + "ECS": [ + "Amazon ECS task definitions should have secure networking modes and user definitions.", + "ECS services should not have public IP addresses assigned to them automatically", + "ECS task definitions should not share the host's process namespace", + "ECS containers should run as non-privileged", + "ECS containers should be limited to read-only access to root filesystems", + "Secrets should not be passed as container environment variables", + "ECS task definitions should have a logging configuration", + "ECS Fargate services should run on the latest Fargate platform version", + "ECS clusters should use Container Insights", + "ECS services should be tagged", + "ECS clusters should be tagged", + "ECS task definitions should be tagged" + ], + "EKS": [ + "EKS cluster endpoints should not be publicly accessible", + "EKS clusters should run on a supported Kubernetes version", + "EKS clusters should use encrypted Kubernetes secrets", + "EKS clusters should be tagged", + "EKS identity provider configurations should be tagged", + "EKS clusters should have audit logging enabled" + ], + "API Gateway": [ + "API Gateway REST and WebSocket API execution logging should be enabled", + "API Gateway REST API stages should be configured to use SSL certificates for backend authentication", + "API Gateway REST API stages should have AWS X-Ray tracing enabled", + "API Gateway should be associated with a WAF Web ACL", + "API Gateway REST API cache data should be encrypted at rest", + "API Gateway routes should specify an authorization type", + "Access logging should be configured for API Gateway V2 Stages" + ], + "IAM": [ + "IAM policies should not allow full \"*\" administrative privileges", + "IAM users should not have IAM policies attached", + "IAM users' access keys should be rotated every 90 days or less", + "IAM root user access key should not exist", + "MFA should be enabled for all IAM users that have a console password", + "Hardware MFA should be enabled for the root user", + "Password policies for IAM users should have strong configurations", + "Unused IAM user credentials should be removed", + "MFA should be enabled for the root user", + "Password policies for IAM users should have strong AWS Configurations", + "Ensure IAM password policy requires at least one uppercase letter", + "Ensure IAM password policy requires at least one lowercase letter", + "Ensure IAM password policy requires at least one symbol", + "Ensure IAM password policy requires at least one number", + "Ensure IAM password policy requires minimum password length of 14 or greater", + "Ensure IAM password policy prevents password reuse", + "Ensure IAM password policy expires passwords within 90 days or less", + "Ensure a support role has been created to manage incidents with AWS Support", + "MFA should be enabled for all IAM users", + "IAM customer managed policies that you create should not allow wildcard actions for services", + "IAM user credentials unused for 45 days should be removed", + "IAM Access Analyzer analyzers should be tagged", + "IAM roles should be tagged", + "IAM users should be tagged", + "Expired SSL/TLS certificates managed in IAM should be removed", + "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "IAM Access Analyzer external access analyzer should be enabled" + ] +} \ No newline at end of file diff --git a/data/compliance/pages.json b/data/compliance/pages.json new file mode 100644 index 000000000000..0ae9d220af56 --- /dev/null +++ b/data/compliance/pages.json @@ -0,0 +1,43 @@ +{ + "frameworks": [ + { + "framework": "PCI DSS", + "cloud": "AWS", + "description": "PCI DSS (Payment Card Industry Data Security Standard) compliance refers to the adherence to a set of security standards designed to protect card information during and after a financial transaction. These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB." + } + ], + "services": [ + { + "name": "RDS", + "full": "RDS resources", + "category": "database", + "whatis": "Amazon RDS (Relational Database Service) is a managed service that simplifies setting up, operating, and scaling relational databases in the cloud. It supports multiple database engines and automates tasks like backups, patching, and monitoring." + }, + { + "name": "EC2", + "full": "EC2 resources", + "category": "server", + "whatis": "Amazon EC2 (Elastic Compute Cloud) is a web service that provides scalable computing capacity in the cloud, allowing users to run virtual servers on-demand. It offers server instances, storage, and networking options to tailor the infrastructure to specific application needs." + }, + { + "name": "ECS", + "full": "ECS Cluster", + "whatis": "Amazon ECS (Elastic Container Service) is a fully managed container orchestration service that allows you to run and scale containerized applications in the cloud. It simplifies the deployment and management of containers, handling tasks like load balancing, scaling, and security. ECS integrates seamlessly with other AWS services, making it easy to build and manage resilient, scalable applications." + }, + { + "name": "EKS", + "full": "EKS Cluster", + "whatis": "Amazon EKS (Elastic Kubernetes Service) is a fully managed service that simplifies running Kubernetes on AWS, allowing you to deploy, manage, and scale containerized applications. It handles the complexity of Kubernetes operations, including patching, scaling, and managing the control plane. EKS integrates with AWS services, providing a secure and scalable platform for running Kubernetes workloads in the cloud." + }, + { + "name": "API Gateway", + "full": "API Gateway", + "whatis": "Amazon API Gateway is a fully managed service that enables you to create, publish, and manage APIs at any scale. It simplifies building and securing REST, HTTP, and WebSocket APIs, handling tasks like authorization, throttling, and monitoring. API Gateway integrates seamlessly with AWS services, allowing you to connect backend systems, Lambda functions, and other endpoints with ease." + }, + { + "name": "IAM", + "full": "IAM Roles and Policies", + "whatis": "AWS IAM (Identity and Access Management) is a service that enables you to securely manage access to AWS resources. It allows you to create and control user permissions, defining who can access specific resources and under what conditions. IAM helps ensure security and compliance by enforcing fine-grained access controls across your AWS environment." + } + ] +} \ No newline at end of file diff --git a/layouts/compliance/cis.html b/layouts/compliance/cis.html new file mode 100644 index 000000000000..495ca5a00c88 --- /dev/null +++ b/layouts/compliance/cis.html @@ -0,0 +1,235 @@ +{{ define "main" }} +{{ partial "hero.html" (dict "title" .Title) }} +
+
+

{{ .Title }}

+

+ CIS compliance is crucial for establishing strong security controls and safeguarding your cloud + infrastructure against cyber threats. Pulumi can assist you in making your AWS cloud infrastructure + CIS compliant. Pulumi can also help you identify existing cloud resources that do not align with CIS + benchmarks, and it can enforce security policies proactively before infrastructure is deployed. + Get started with Pulumi to take advantage of these compliance tools, or speak with a Solutions + Architect to receive expert guidance on achieving CIS compliance. +

+
+ Speak with a Solutions Architect + Get Started with Pulumi +
+
+
+
+
+

What is CIS Compliance?

+

+ {{ .Params.description }} +

+
+
+
+
+

Key Aspects of CIS Compliance

+ +

Benefits of CIS Compliance

+ +
+
+ {{ if eq .Params.cloud .Params.service }} +
+
+

CIS Compliance for your AWS Infrastructure

+

1. Identity and Access Management (IAM)

+ +

2. Logging and Monitoring

+ +

3. Networking

+ +

4. Encryption

+ +

5. Auditing and Assessment Tools

+ +

6. Automation and Continuous Compliance

+ +

7. Documentation and Reporting

+ + +
+
+ {{ end }} + + {{ partial "compliance/insights.html" . }} + + +
+ {{ partial "learnmore-contactus.html" . }} +
+{{ end }} \ No newline at end of file diff --git a/layouts/compliance/iso-27001.html b/layouts/compliance/iso-27001.html new file mode 100644 index 000000000000..eed0ce421f3d --- /dev/null +++ b/layouts/compliance/iso-27001.html @@ -0,0 +1,278 @@ +{{ define "main" }} +{{ partial "hero.html" (dict "title" .Title) }} +
+
+

{{ .Title }}

+

+ ISO 27001 compliance is essential for ensuring the security and management of sensitive + information across your organization. Pulumi can assist you in making your AWS cloud + infrastructure ISO 27001 compliant. Pulumi can help you identify existing cloud resources + that do not meet ISO 27001 standards, and it can also enforce security policies proactively + before infrastructure is deployed. Get started with Pulumi to leverage these compliance tools, + or speak with a Solutions Architect to receive expert consultation on achieving ISO 27001 + certification. +

+
+ Speak with a Solutions Architect + Get Started with Pulumi +
+
+
+
+
+

What is ISO 27001 Compliance?

+

+ {{ .Params.description }} +

+
+
+
+
+

Key Aspects of ISO 27001 Compliance

+
    +
  1. + Risk Management: ISO 27001 requires organizations to + assess risks related to their information assets and implement controls + to mitigate these risks. +
    2. + +
  2. + Security Controls: The standard includes a + comprehensive set of security controls (outlined in Annex A) that cover + areas like access control, cryptography, physical security, and incident + management. +
    3. + +
  3. + ISMS Implementation: Organizations must establish an + ISMS, which is a systematic approach to managing sensitive company + information so that it remains secure. This involves setting policies, + procedures, and controls. +
    4. + +
  4. + Continuous Improvement: ISO 27001 emphasizes the + importance of continually monitoring, reviewing, and improving the ISMS + to adapt to changing security risks and business needs. +
    5. + +
  5. + Compliance and Certification: Organizations can seek + certification to ISO 27001 by undergoing an external audit conducted by + a certification body. Certification demonstrates that an organization + has implemented best practices for information security management. +
    6. + +
  6. + Legal and Regulatory Requirements: ISO 27001 helps + organizations comply with legal, regulatory, and contractual obligations + related to information security. +
    7. +
+
+
+{{ if eq .Params.cloud .Params.service }} +
+
+

ISO 27001 Compliance for your AWS infrastructure

+

+ To make your {{ .Params.full }} compliant with ISO 27001, you need to align + your information security management practices with the ISO 27001 standard. + Below is a checklist to guide you through the necessary steps: +

+

1. Establish an Information Security Management System (ISMS)

+ +

2. Conduct a Risk Assessment

+ +

3. Implement Security Controls

+ +

4. Leadership and Commitment

+ +

5. Awareness and Training

+ +

6. Operational Security

+ +

7. Supplier Management

+ +

8. Performance Evaluation

+ +

9. Continuous Improvement

+ +

10. Certification

+ +

11. Documentation

+ +

+ By following these steps, you'll align your {{ .Params.full }} with ISO 27001 + requirements and help ensure the security of your information assets. + Remember that achieving ISO 27001 compliance is an ongoing process, + requiring regular reviews and updates to your ISMS. +

+
+
+{{end}} + +{{ partial "compliance/insights.html" . }} + +
+ {{ partial "learnmore-contactus.html" . }} +
+{{ end }} \ No newline at end of file diff --git a/layouts/compliance/list.html b/layouts/compliance/list.html new file mode 100644 index 000000000000..cdc31db43f56 --- /dev/null +++ b/layouts/compliance/list.html @@ -0,0 +1,52 @@ +{{ define "main" }} +{{ $pagelist := .Pages }} +{{ partial "hero.html" (dict "title" .Title) }} + +
+
+
+
+
+

+ Ensuring that your cloud infrastructure is compliant with frameworks like PCI-DSS, ISO 27001, and CIS + is critical for safeguarding sensitive data, maintaining customer trust, and adhering to legal and + regulatory requirements. Compliance with these frameworks demonstrates a commitment to implementing + best practices in security and risk management, which helps protect against data breaches, + cyber threats, and operational disruptions. +

+
+
+ {{ $frameworks := index .Site.Data.compliance "pages" }} + {{ range $framework := $frameworks.frameworks }} + {{ $pages := where $pagelist "Params.framework" $framework.framework }} + + {{ if $pages }} + {{ range $pages }} + {{ if eq .Params.page_type "cloud" }} +
+
+

{{ $framework.framework }} Compliance for {{ .Params.cloud + }} +

+

+ {{ .Params.description }} +

+

Learn more about how Pulumi can help your AWS services to meet {{ $framework.framework }} compliance:

+
+ {{ else }} +
+
+ + {{ .Params.service }} +
+
+ {{ end }} + {{ end }} +
+ {{ end }} + {{ end }} +
+
+
+
+{{ end }} \ No newline at end of file diff --git a/layouts/compliance/pci-dss.html b/layouts/compliance/pci-dss.html new file mode 100644 index 000000000000..cf1c251c476c --- /dev/null +++ b/layouts/compliance/pci-dss.html @@ -0,0 +1,241 @@ +{{ define "main" }} +{{ partial "hero.html" (dict "title" .Title) }} +{{ $cloud_page := eq .Params.page_type "cloud" }} +
+
+

{{ .Title }}

+

+ PCI DSS compliance is critical to protecting cardholder data that is processed, stored, and transmitted. + Pulumi can assist you with making your AWS cloud infrastructure PCI DSS compliant. Pulumi can help you identify + existing cloud resources that are not in compliance, and it can also enforce compliance policies proactively + before infrastructure is deployed. Get started with Pulumi to use these compliance tools or speak with a + Solutions Architect to get an expert consultation. +

+
+ Speak with a Solutions Architect + Get Started with Pulumi +
+
+
+
+
+

What is PCI DSS Compliance?

+

+ {{ .Params.description }} +

+
+
+
+
+

Key Aspects of PCI DSS Compliance

+
    +
  1. + Security Controls: Organizations must implement + specific technical and operational security measures to safeguard + cardholder data. This includes requirements like installing + firewalls, encrypting cardholder data, and using antivirus software. +
    2. + +
  2. + Access Control: Only authorized personnel should + have access to cardholder data. This involves setting up strong + access control measures, such as unique user IDs and restricting + physical access to sensitive data. +
    3. + +
  3. + Monitoring and Testing: Regularly monitor and test + networks to ensure that security controls are functioning correctly + and to identify vulnerabilities. This includes maintaining logs of + all access to network resources and cardholder data. +
    4. + +
  4. + Information Security Policy: Organizations must + maintain a policy that addresses information security for employees + and contractors. This includes regular security awareness training. +
    5. + +
  5. + Regular Audits: Organizations that process, store, + or transmit credit card information must undergo regular audits to + ensure they are in compliance with PCI DSS requirements. This can + involve self-assessment or external assessments, depending on the + size of the organization and the volume of transactions processed. +
    6. +
+
+
+ + {{ if $cloud_page }} +
+
+

12 PCI DSS Requirements

+

+ To ensure that your {{ .Params.full }} become PCI-DSS compliant, you'll need to + adhere to the 12 PCI-DSS requirements. Here's a breakdown of what you need + to do: +

+

+ 1. Install and Maintain a Firewall Configuration to Protect Cardholder Data +

+ +

+ 2. Do Not Use Vendor-Supplied Defaults for System Passwords and Other + Security Parameters +

+ +

3. Protect Stored Cardholder Data

+ +

4. Encrypt Transmission of Cardholder Data Across Open, Public Networks

+ + +

5. Use and Regularly Update Anti-Virus Software or Programs

+ +

6. Develop and Maintain Secure Systems and Applications

+ +

7. Restrict Access to Cardholder Data by Business Need to Know

+ + +

8. Identify and Authenticate Access to System Components

+ + +

9. Restrict Physical Access to Cardholder Data

+ +

+ 10. Track and Monitor All Access to Network Resources and Cardholder Data +

+ +

11. Regularly Test Security Systems and Processes

+ +

+ 12. Maintain a Policy That Addresses Information Security for All Personnel +

+ +

Additional Considerations:

+ +
+
+ {{ end }} + + {{ partial "compliance/insights.html" . }} + +
+ {{ partial "learnmore-contactus.html" . }} +
+{{ end }} \ No newline at end of file diff --git a/layouts/partials/compliance/controls.html b/layouts/partials/compliance/controls.html new file mode 100644 index 000000000000..ee039cbfa249 --- /dev/null +++ b/layouts/partials/compliance/controls.html @@ -0,0 +1,29 @@ +
+
+

What is {{ .Params.service }}?

+

+ {{ .Params.whatis }} +

+
+
+
+
+

What controls can I put in place to evaluate {{ .Params.service }} resources?

+
+ {{ $key := .Params.service }} + {{ $controls := index .Site.Data.compliance "controls" }} + {{ $array := index $controls $key }} +
    + {{ range $array }} +
  • {{ . }}
    • + {{ end }} +
+
+
+

Speak to a Solutions Architect to implement policy as code to manage {{ .Params.service }} resources for {{ .Params.framework }} compliance.

+
+ Speak with a Solutions Architect +
+
+
+
\ No newline at end of file diff --git a/layouts/partials/compliance/insights.html b/layouts/partials/compliance/insights.html new file mode 100644 index 000000000000..3d43e9192028 --- /dev/null +++ b/layouts/partials/compliance/insights.html @@ -0,0 +1,72 @@ +
+
+
+

Pulumi Insights

+

+ Use Pulumi Insights to gain visibility into your cloud + infrastructure's + configuration to assess {{ .Params.framework }} compliance. Pulumi Insights is Intelligent + Cloud Management. It helps you gain security, compliance, and cost insights into the entirety + of your organization's cloud assets and automatically remediate issues. +

+ +

Pulumi Copilot

+

+ Use Pulumi Copilot to assist configuring your infrastructure + to make it compliance ready. You can tap into the Pulumi Copilot's deep understanding of your + organization's context to gain visibility into the configuration of resources and assess + their compliance. +

+ +
+
+ + +
+
+

Compliance Ready Policies

+

+ With comprehensive coverage of {{ .Params.cloud }}, + Pulumi Compliance Ready Policies + provide an enhanced level of control and governance over your cloud resources. Pulumi Compliance Ready + Policies empower you to enforce best practices, security standards, cost controls, and compliance requirements + seamlessly within your infrastructure-as-code workflows. +

+
+
+
+ +{{ if eq .Params.page_type "service" }} +{{ partial "compliance/controls.html" . }} +{{ end }} + +{{ if eq .Params.page_type "cloud" }} +
+
+

Compliance for AWS Services

+ {{ $pages := where .Parent.RegularPages "Params.framework" .Params.framework }} +

Learn more about how Pulumi can make your AWS services {{.Params.framework}} compliant.

+
+ {{ range $pages }} + {{ if ne .File.Path $.File.Path }} + + {{ end }} + {{ end }} +
+
+
+{{ end }} + + +
+
+

Talk to a Solutions Architect

+

Get in touch with our Solutions Architects to get all your resources in use with Pulumi Insights

+ +
+
\ No newline at end of file diff --git a/package.json b/package.json index c397feb79534..10aa4a28807b 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "@octokit/rest": "^18.5.3", "@slack/web-api": "^5.12.0", "algoliasearch": "^4.17.0", - "axios": "^1.4.0", + "axios": "^1.7.4", "axios-retry": "^3.5.1", "broken-link-checker": "^0.7.8", "cheerio": "^1.0.0-rc.12", diff --git a/scripts/aws-compliance-scraper/scrape.js b/scripts/aws-compliance-scraper/scrape.js new file mode 100644 index 000000000000..bb35944e0f39 --- /dev/null +++ b/scripts/aws-compliance-scraper/scrape.js @@ -0,0 +1,72 @@ +// Script to scrape the compliance controls from the AWS security hub pages, to populate +// the list on compliance pages. This reads the /data/compliance/pages.json file and +// retrieves a list of all the services and then loads the page from aws for that +// service to scrape the compliance controls. + +const fs = require("fs"); +const cheerio = require("cheerio"); +const axios = require('axios'); + + +async function fetchAndLoad(url) { + try { + const response = await axios.get(url); + const html = response.data; + return cheerio.load(html); + } catch (error) { + console.error('Error fetching the webpage:', url); + } +} + +function removePrefix(input) { + return input.replace(/^\[.*?\]\s*/, ''); +} + +function cleanString(input) { + return input.replace(/\n\s+/g, ' ').trim(); +} + +async function parse(service) { + const url = `https://docs.aws.amazon.com/securityhub/latest/userguide/${service}-controls.html`; + console.log(url); + const $ = await fetchAndLoad(url); + + const results = []; + + const frameworks = $("h2"); + frameworks.each((i, elm) => { + const h2Text = $(elm).text(); + + const nextElement = $(elm).next('p'); + if (nextElement.length > 0) { + const pText = nextElement.text(); + + results.push({ requirement: h2Text, frameworks: pText }); + } + }); + + return results.map(r => removePrefix(r.requirement)).map(r => cleanString(r)); +} + +function loadServices() { + const contents = fs.readFileSync("./data/compliance/pages.json", { + encoding: "utf8", + }); + const complianceFrameworks = JSON.parse(contents); + return complianceFrameworks.services.map(svc => svc.name) +} + +async function getControls() { + const services = loadServices(); + const result = {} + + for (let svc of services) { + console.log(svc); + result[svc] = await parse(svc.replace(" ", "").toLowerCase()) + } + + console.log("file written to /data/compliance/controls.json"); + fs.writeFileSync("./data/compliance/controls.json", JSON.stringify(result, null, 2)); +} + +getControls(); \ No newline at end of file diff --git a/scripts/content/generate-compliance-pages.sh b/scripts/content/generate-compliance-pages.sh new file mode 100755 index 000000000000..d8b8aadb6301 --- /dev/null +++ b/scripts/content/generate-compliance-pages.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# Load JSON data +pages=$(cat data/compliance/pages.json) + +for row in $(echo "${pages}" | jq -r '.frameworks[] | @base64'); do + for svc in $(echo "${pages}" | jq -r '.services[] | @base64'); do + _jq() { + echo ${row} | base64 --decode | jq -r ${1} + } + decodeService() { + echo ${svc} | base64 --decode | jq -r ${1} + } + slug=$(echo "$(_jq '.framework')-$(_jq '.cloud')-$(decodeService '.name')" | awk '{print tolower($0)}' | sed 's/ /-/g') + layout=$(_jq '.framework' | awk '{print tolower($0)}' | sed 's/ /-/g') + title="$(_jq '.framework') Compliance for $(_jq '.cloud') $(decodeService '.name')" + # Create a new markdown file for each entry + cat > "content/compliance/${slug}.md" < "content/compliance/$(echo "$(_jq '.cloud')-$(_jq '.framework')" | awk '{print tolower($0)}').md" <