Adding docs for December build policies #1037
Conversation
|
|
||
| === Description | ||
|
|
||
| This policy identifies AWS CodeGuru Reviewer repository associations that are not configured with a Customer Managed Key (CMK). Using CMK for encryption ensures that you have full control over the encryption keys, enhancing security for your repository data. Relying on default encryption options may not provide the level of security and compliance required for sensitive environments. |
There was a problem hiding this comment.
This policy detects whether AWS CodeGuru Reviewer repository associations use Customer Managed Key (CMK) for encryption. CMKs empower users with granular control over key management, including policy setting, usage permissions, and detailed monitoring of access and key rotations. Default encryption options may not provide the level of security and compliance required for sensitive environments. Enforcing the use of CMKs for AWS CodeGuru Reviewer repository associations enables organizations to maintain strict access control and auditing, strengthening overall security posture.
| * *Resource:* aws_codegurureviewer_repository_association | ||
| * *Arguments:* kms_key_details | ||
|
|
||
| To fix this issue, ensure that the `kms_key_details` block is configured with the `encryption_option` set to `CUSTOMER_MANAGED_CMK` in your Terraform configuration. |
There was a problem hiding this comment.
To mitigate issue, set the encryption_option' parameter in the kms_key_detailsblock toCUSTOMER_MANAGED_CMK` in your Terraform configuration. This ensures that a CMK is used for encryption.
| * *Arguments:* kms_key_details | ||
|
|
||
| To fix this issue, ensure that the `kms_key_details` block is configured with the `encryption_option` set to `CUSTOMER_MANAGED_CMK` in your Terraform configuration. | ||
|
|
|
|
||
| === Description | ||
|
|
||
| This policy identifies the AWS Bedrock agent that is not associated with Bedrock guardrails. Amazon Bedrock Guardrails provides governance and compliance controls for generative AI applications, ensuring safe and responsible model use. Associating Guardrails with the Bedrock agent is useful for implementing governance and compliance controls in generative AI applications. Not linking Guardrails to the Bedrock agent raises the risk of non-compliance and harmful AI application outputs. It is recommended that AWS Bedrock agents be associated with Bedrock guardrails to implement safeguards and prevent unwanted behavior from model responses or user messages. |
There was a problem hiding this comment.
This policy detects whether the AWS Bedrock agent is associated with Bedrock guardrails. Amazon Bedrock Guardrails provides crucial governance and compliance controls for generative AI applications, ensuring their safe and responsible use. Associating Guardrails with the Bedrock agent is essential for enforcing these controls, mitigating the risk of non-compliance and potentially harmful outputs. Not associating Guardrails may expose organizations to various risks, including generating biased, inappropriate, or harmful content. By linking Guardrails, organizations can implement safeguards and prevent unwanted behavior in model responses or user messages.
| * *Resource:* aws_bedrockagent_agent | ||
| * *Arguments:* guardrail_configuration.guardrail_identifier | ||
|
|
||
| To fix this issue, ensure that the `guardrail_configuration` block in your Terraform configuration includes a valid `guardrail_identifier`. |
There was a problem hiding this comment.
To mitigate this issue, configure the guardrail_configuration block in your Terraform configuration to include a valid guardrail_identifier argument. This ensures that the appropriate guardrails are associated with the Bedrock agent.
| * *Arguments:* ip_address_type | ||
|
|
||
| To fix this issue, ensure that the `ip_address_type` attribute is set to `Private` or `None` in your Terraform configuration. | ||
|
|
| * *Resource:* azurerm_container_group | ||
| * *Arguments:* ip_address_type | ||
|
|
||
| To fix this issue, ensure that the `ip_address_type` attribute is set to `Private` or `None` in your Terraform configuration. |
There was a problem hiding this comment.
To remediate this issue, set the ip_address_type attribute to Private or None in your Terraform configuration.
|
|
||
| === Description | ||
|
|
||
| HTTP application routing configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. While this makes it easy to access applications that are deployed to your Azure AKS cluster, this add-on is not recommended for production use. |
There was a problem hiding this comment.
This policy detects whether ingress controllers in AKS clusters are configured to allow HTTP application routing. While convenient for development and testing within your AKS clusters, enabling HTTP application routing for production deployments can introduce security risks. Because publicly accessible DNS names are automatically created for application endpoints, using HTTP instead of HTTPS for these endpoints could expose sensitive data, as HTTP traffic is not encrypted.
| * *Arguments:* http_application_routing_enabled | ||
|
|
||
| To fix this issue, ensure that the `http_application_routing_enabled` attribute is set to `false` in your Terraform configuration. | ||
|
|
| * *Resource:* azurerm_kubernetes_cluster | ||
| * *Arguments:* http_application_routing_enabled | ||
|
|
||
| To fix this issue, ensure that the `http_application_routing_enabled` attribute is set to `false` in your Terraform configuration. |
There was a problem hiding this comment.
To mitigate this issue, set the http_application_routing_enabled attribute to false in your Terraform configuration.
Test URLs: