As a Cloud Security Operations administrator, you must continuously know that the organizational units in your AWS landing zone comply with the policies you applied. Cloud Guardrails helps you detect the drift from your policies, and enforce compliance.

To ensure that the organizational units in your AWS landing zone comply with your security policies, you can have Cloud Guardrails attach security baseline guardrails to your AWS landing zone. Cloud Guardrails includes security templates that include policies and configuration rules. The security templates enforce the configuration rules on the organizational units in your AWS landing zone.

Cloud Guardrails can apply mandatory, strongly recommended, and elective baseline security guardrail policies to your AWS landing zone. As a Cloud Operations administrator, setting up your AWS landing zone enables the mandatory guardrails by default. During the setup, you can select the strongly recommended guardrails and elective guardrails that you need to apply to your landing zone, and you can deselect them later as needed.

Table 1. Cloud Guardrails security baseline templates for the organizational units in your AWS landing zone
Type of security guardrail Supported security templates Rules in the template that Cloud Guardrails enforces
Mandatory guardrails Mandatory and Strongly Recommended Guardrails SCP Policy
  • Disallow Deletion of Log Archive
  • Detect Public Read Access Setting for Log Archive
  • Detect Public Write Access Setting for Log Archive
  • Disallow Configuration Changes to AWS Config
  • Enable AWS Config in All Available Regions
Strongly recommended guardrails Strongly Recommended Guardrails Config Rules
  • Disallow Creation of Access Keys for the Root User
  • Disallow Actions as a Root User
  • Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances
  • Detect Whether Unrestricted Incoming TCP Traffic is Allowed
  • Detect Whether Unrestricted Internet Connection Through SSH is Allowed
  • Detect Whether MFA for the Root User is Enabled
  • Detect Whether Public Read Access to Amazon S3 Buckets is Allowed
  • Detect Whether Public Write Access to Amazon S3 Buckets is Allowed
  • Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances
  • Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances
  • Detect Whether Public Access to Amazon RDS Database Instances is Enabled
  • Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled
  • Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances

Elective guardrails

Cloud Guardrails provides templates that support elective guardrails for SCP Policies and configuration rules.

Elective Guardrails SCP Policy

Elective Guardrails Config Rules
  • Disallow Changes to Encryption Configuration for Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive]
  • Disallow Changes to Logging Configuration for Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive]
  • Disallow Changes to Bucket Policy for Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive]
  • Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]
  • Disallow Changes to Replication Configuration for Amazon S3 Buckets
  • Disallow Delete Actions on Amazon S3 Buckets Without MFA
  • Detect Whether MFA is Enabled for AWS IAM Users
  • Detect Whether MFA is Enabled for AWS IAM Users of the AWS Console
  • Detect Whether Versioning for Amazon S3 Buckets is Enabled
  • Guardrails that enhance data residency protection

Prerequisites

Procedure

  1. To apply the security policies on the organizational units your AWS landing zone, access the Cloud Guardrails policy templates from your vRealize Automation Cloud instance.
    1. On the Guardrails tab, click +New.
    2. Click From library.
    3. Click the Security card.
  2. Import the SCP policy template and config templates.
    1. Select the template named Mandatory and Strongly Recommended Guardrails SCP Policy.
    2. Select the template named Strongly Recommended Guardrails Config Rules.
    3. Select the template named Elective Guardrails SCP Policy.
    4. Select the template named Elective Guardrails Config Rules.
    You select the security baseline templates for the organizational units in your AWS landing zone, and select a project.
  3. Click Add Selected Template, select a project, and click Import.
    The templates appear in the list on the Templates tab.
  4. To create the desired states, click each template, and click Create Desired State.
    For example, click Strongly Recommended Guardrails Config Rules, and click Create Desired State.
    The template that you select displays the states in the template and the code in the template.
  5. In the Create a Desired State dialog box, enter a name and description, and select a cloud account and region. Then click Create.
  6. Create the desired states for the other security templates for your landing zone.

Results

Congratulations! To ensure that the organizational units in your AWS landing zone comply with your security policies, you imported the security templates for your landing zone and created desired states.

What to do next

After you create the desired state, you can run it and view the resulting enforcements. To find out more about creating desired states and enforcements, see How do I create a Cloud Guardrails desired state from a template and enforce it.