Skip to content

Commit

Permalink
Merge pull request #189 from trussworks/remove-obsolete-rules
Browse files Browse the repository at this point in the history
Remove Obsolete Config Rules
  • Loading branch information
chtakahashi authored Nov 6, 2023
2 parents 78d6c14 + 5c975b3 commit a9e8c9c
Show file tree
Hide file tree
Showing 3 changed files with 276 additions and 322 deletions.
4 changes: 0 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,6 @@ No modules.
| [aws_config_config_rule.iam-policy-no-statements-with-full-access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.iam-user-no-policies-check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.iam_root_access_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.instances-in-vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.internet-gateway-authorized-vpc-only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.mfa_enabled_for_iam_console_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.multi-region-cloud-trail-enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
Expand All @@ -201,7 +200,6 @@ No modules.
| [aws_config_config_rule.s3-bucket-level-public-access-prohibited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.s3-bucket-public-read-prohibited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.s3-bucket-public-write-prohibited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.s3-bucket-server-side-encryption-enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.s3_bucket_ssl_requests_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.vpc-sg-open-only-to-authorized-ports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
| [aws_config_config_rule.vpc_default_security_group_closed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource |
Expand Down Expand Up @@ -263,7 +261,6 @@ No modules.
| check\_iam\_policy\_no\_statements\_with\_full\_access | Enable iam-policy-no-statements-with-full-access rule | `bool` | `true` | no |
| check\_iam\_root\_access\_key | Enable iam-root-access-key rule | `bool` | `true` | no |
| check\_iam\_user\_no\_policies\_check | Enable iam-user-no-policies-check rule | `bool` | `true` | no |
| check\_instances\_in\_vpc | Enable instances-in-vpc rule | `bool` | `true` | no |
| check\_internet\_gateway\_authorized\_vpc\_only | Enable internet-gateway-authorized-vpc-only rule | `bool` | `false` | no |
| check\_mfa\_enabled\_for\_iam\_console\_access | Enable mfa-enabled-for-iam-console-access rule | `bool` | `true` | no |
| check\_multi\_region\_cloud\_trail | Enable multi-region-cloud-trail-enabled rule | `bool` | `false` | no |
Expand All @@ -281,7 +278,6 @@ No modules.
| check\_s3\_bucket\_level\_public\_access\_prohibited | Enable s3-bucket-level-public-access-prohibited rule | `bool` | `false` | no |
| check\_s3\_bucket\_public\_read\_prohibited | Enable s3-bucket-public-read-prohibited rule | `bool` | `false` | no |
| check\_s3\_bucket\_public\_write\_prohibited | Enable s3-bucket-public-write-prohibited rule | `bool` | `true` | no |
| check\_s3\_bucket\_server\_side\_encryption\_enabled | Enable s3-bucket-server-side-encryption-enabled rule | `bool` | `true` | no |
| check\_s3\_bucket\_ssl\_requests\_only | Enable s3-bucket-ssl-requests-only rule | `bool` | `true` | no |
| check\_vpc\_default\_security\_group\_closed | Enable vpc-default-security-group-closed rule | `bool` | `true` | no |
| check\_vpc\_sg\_open\_only\_to\_authorized\_ports | Enable vpc-sg-open-only-to-authorized-ports rule | `bool` | `false` | no |
Expand Down
30 changes: 0 additions & 30 deletions config-rules.tf
Original file line number Diff line number Diff line change
Expand Up @@ -178,21 +178,6 @@ resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" {
depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_config_rule" "instances-in-vpc" {
count = var.check_instances_in_vpc ? 1 : 0
name = "instances-in-vpc"
description = "Ensure all EC2 instances run in a VPC"

source {
owner = "AWS"
source_identifier = "INSTANCES_IN_VPC"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_config_rule" "root-account-mfa-enabled" {
count = var.check_root_account_mfa_enabled ? 1 : 0
name = "root-account-mfa-enabled"
Expand Down Expand Up @@ -923,21 +908,6 @@ resource "aws_config_config_rule" "s3-bucket-acl-prohibited" {
depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_config_rule" "s3-bucket-server-side-encryption-enabled" {
count = var.check_s3_bucket_server_side_encryption_enabled ? 1 : 0
name = "s3-bucket-server-side-encryption-enabled"
description = "Checks if S3 bucket either has the S3 default encryption enabled or that S3 policy explicitly denies put-object requests without SSE that uses AES-256 or AWS KMS. The rule is NON_COMPLIANT if your Amazon S3 bucket is not encrypted by default."

source {
owner = "AWS"
source_identifier = "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_config_rule" "vpc-sg-open-only-to-authorized-ports" {
count = var.check_vpc_sg_open_only_to_authorized_ports ? 1 : 0
name = "vpc-sg-open-only-to-authorized-ports"
Expand Down
Loading

0 comments on commit a9e8c9c

Please sign in to comment.