From 9798cfc024bfd22d25c8ca67cf58bff082ab4c7c Mon Sep 17 00:00:00 2001 From: bensonce <133029270+bensonce@users.noreply.github.com> Date: Sun, 15 Sep 2024 00:05:45 +0000 Subject: [PATCH] Automatic updates to AWS managed Config Rules --- files/pack-rules-list.txt | 2 + files/pack-rules.yaml | 224 ++++++++++++++++++++++++++++++++++++- managed_rules_locals.tf | 64 ++++++++++- managed_rules_variables.tf | 105 +++++++++++++++++ 4 files changed, 390 insertions(+), 5 deletions(-) diff --git a/files/pack-rules-list.txt b/files/pack-rules-list.txt index b64bc80..a82b99e 100644 --- a/files/pack-rules-list.txt +++ b/files/pack-rules-list.txt @@ -51,6 +51,8 @@ Operational-Best-Practices-for-ENISA-Cybersecurity-Guide Operational-Best-Practices-for-Encryption-and-Keys Operational-Best-Practices-for-FDA-21CFR-Part-11 Operational-Best-Practices-for-FFIEC +Operational-Best-Practices-for-FedRAMP-HighPart1 +Operational-Best-Practices-for-FedRAMP-HighPart2 Operational-Best-Practices-for-FedRAMP-Low Operational-Best-Practices-for-FedRAMP Operational-Best-Practices-for-Germany-C5 diff --git a/files/pack-rules.yaml b/files/pack-rules.yaml index d0422cf..fc1455c 100644 --- a/files/pack-rules.yaml +++ b/files/pack-rules.yaml @@ -1,4 +1,4 @@ -generated_on: '2024-08-01T00:05:28Z' +generated_on: '2024-09-15T00:05:29Z' packs: AWS-Control-Tower-Detective-Guardrails: - autoscaling-launch-config-public-ip-disabled @@ -3989,6 +3989,228 @@ packs: - vpc-sg-open-only-to-authorized-ports - vpc-vpn-2-tunnels-up - wafv2-logging-enabled + Operational-Best-Practices-for-FedRAMP-HighPart1: + - access-keys-rotated + - acm-certificate-expiration-check + - alb-http-to-https-redirection-check + - alb-waf-enabled + - api-gw-associated-with-waf + - api-gw-cache-enabled-and-encrypted + - api-gw-execution-logging-enabled + - api-gw-ssl-enabled + - aurora-resources-protected-by-backup-plan + - autoscaling-group-elb-healthcheck-required + - autoscaling-launch-config-public-ip-disabled + - backup-plan-min-frequency-and-min-retention-check + - beanstalk-enhanced-health-reporting-enabled + - cloud-trail-cloud-watch-logs-enabled + - cloud-trail-encryption-enabled + - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled + - cloudtrail-s3-dataevents-enabled + - cloudwatch-alarm-action-check + - cloudwatch-log-group-encrypted + - cmk-backing-key-rotation-enabled + - codebuild-project-envvar-awscred-check + - codebuild-project-logging-enabled + - codebuild-project-source-repo-url-check + - cw-loggroup-retention-period-check + - db-instance-backup-enabled + - dms-replication-not-public + - dynamodb-autoscaling-enabled + - dynamodb-in-backup-plan + - dynamodb-pitr-enabled + - dynamodb-resources-protected-by-backup-plan + - dynamodb-throughput-limit-check + - ebs-in-backup-plan + - ebs-optimized-instance + - ebs-resources-protected-by-backup-plan + - ebs-snapshot-public-restorable-check + - ec2-ebs-encryption-by-default + - ec2-imdsv2-check + - ec2-instance-detailed-monitoring-enabled + - ec2-instance-managed-by-systems-manager + - ec2-instance-no-public-ip + - ec2-instance-profile-attached + - ec2-instances-in-vpc + - ec2-managedinstance-association-compliance-status-check + - ec2-managedinstance-patch-compliance-status-check + - ec2-resources-protected-by-backup-plan + - ec2-stopped-instance + - ec2-volume-inuse-check + - ecs-task-definition-user-for-host-mode-check + - efs-encrypted-check + - efs-in-backup-plan + - efs-resources-protected-by-backup-plan + - elastic-beanstalk-managed-updates-enabled + - elasticache-redis-cluster-automatic-backup-check + - elasticsearch-encrypted-at-rest + - elasticsearch-in-vpc-only + - elasticsearch-logs-to-cloudwatch + - elasticsearch-node-to-node-encryption-check + - elb-acm-certificate-required + - elb-cross-zone-load-balancing-enabled + - elb-deletion-protection-enabled + - elb-logging-enabled + - elb-tls-https-listeners-only + - emr-master-no-public-ip + - encrypted-volumes + - fsx-resources-protected-by-backup-plan + - guardduty-enabled-centralized + - guardduty-non-archived-findings + - iam-customer-policy-blocked-kms-actions + - iam-group-has-users-check + - iam-inline-policy-blocked-kms-actions + - iam-no-inline-policy-check + - iam-password-policy + - iam-policy-no-statements-with-admin-access + - iam-policy-no-statements-with-full-access + - iam-root-access-key-check + - iam-user-group-membership-check + - iam-user-mfa-enabled + - iam-user-no-policies-check + - iam-user-unused-credentials-check + - kms-cmk-not-scheduled-for-deletion + - lambda-concurrency-check + - lambda-dlq-check + - lambda-function-public-access-prohibited + - lambda-inside-vpc + - mfa-enabled-for-iam-console-access + - multi-region-cloudtrail-enabled + - no-unrestricted-route-to-igw + - rds-enhanced-monitoring-enabled + - rds-instance-deletion-protection-enabled + - rds-instance-public-access-check + - rds-logging-enabled + - rds-multi-az-support + - rds-resources-protected-by-backup-plan + - rds-snapshot-encrypted + - rds-snapshots-public-prohibited + - rds-storage-encrypted + - redshift-backup-enabled + - redshift-cluster-configuration-check + - redshift-cluster-kms-enabled + - redshift-cluster-maintenancesettings-check + - redshift-cluster-public-access-check + - redshift-require-tls-ssl + - restricted-common-ports + - restricted-ssh + - s3-account-level-public-access-blocks-periodic + - s3-bucket-default-lock-enabled + - s3-bucket-level-public-access-prohibited + - s3-bucket-logging-enabled + - s3-bucket-public-read-prohibited + - s3-bucket-public-write-prohibited + - s3-bucket-replication-enabled + - s3-bucket-server-side-encryption-enabled + - s3-bucket-ssl-requests-only + - s3-bucket-versioning-enabled + - s3-default-encryption-kms + - s3-version-lifecycle-policy-check + - sagemaker-endpoint-configuration-kms-key-configured + - sagemaker-notebook-instance-kms-key-configured + - sagemaker-notebook-no-direct-internet-access + - securityhub-enabled + - ssm-document-not-public + - subnet-auto-assign-public-ip-disabled + - vpc-sg-open-only-to-authorized-ports + Operational-Best-Practices-for-FedRAMP-HighPart2: + - acm-certificate-expiration-check + - api-gw-cache-enabled-and-encrypted + - api-gw-execution-logging-enabled + - api-gw-ssl-enabled + - aurora-resources-protected-by-backup-plan + - autoscaling-launch-config-public-ip-disabled + - backup-plan-min-frequency-and-min-retention-check + - backup-recovery-point-encrypted + - backup-recovery-point-manual-deletion-disabled + - backup-recovery-point-minimum-retention-check + - cloud-trail-cloud-watch-logs-enabled + - cloud-trail-encryption-enabled + - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled + - cloudtrail-s3-bucket-public-access-prohibited + - cloudtrail-s3-dataevents-enabled + - cloudtrail-security-trail-enabled + - cloudwatch-alarm-action-check + - cloudwatch-log-group-encrypted + - db-instance-backup-enabled + - dynamodb-autoscaling-enabled + - dynamodb-in-backup-plan + - dynamodb-pitr-enabled + - dynamodb-resources-protected-by-backup-plan + - dynamodb-table-encrypted-kms + - ebs-in-backup-plan + - ebs-resources-protected-by-backup-plan + - ec2-ebs-encryption-by-default + - ec2-instance-managed-by-systems-manager + - ec2-instances-in-vpc + - ec2-managedinstance-association-compliance-status-check + - ec2-managedinstance-patch-compliance-status-check + - ec2-resources-protected-by-backup-plan + - efs-encrypted-check + - efs-in-backup-plan + - efs-resources-protected-by-backup-plan + - eks-endpoint-no-public-access + - elasticache-redis-cluster-automatic-backup-check + - elasticsearch-encrypted-at-rest + - elasticsearch-logs-to-cloudwatch + - elb-cross-zone-load-balancing-enabled + - elb-logging-enabled + - emr-master-no-public-ip + - encrypted-volumes + - fsx-resources-protected-by-backup-plan + - guardduty-enabled-centralized + - iam-no-inline-policy-check + - iam-password-policy + - iam-policy-no-statements-with-admin-access + - iam-root-access-key-check + - iam-user-group-membership-check + - iam-user-mfa-enabled + - iam-user-no-policies-check + - iam-user-unused-credentials-check + - inspector-ec2-scan-enabled + - inspector-ecr-scan-enabled + - inspector-lambda-standard-scan-enabled + - kinesis-stream-encrypted + - lambda-dlq-check + - lambda-function-public-access-prohibited + - lambda-inside-vpc + - mfa-enabled-for-iam-console-access + - multi-region-cloudtrail-enabled + - rds-in-backup-plan + - rds-instance-deletion-protection-enabled + - rds-instance-public-access-check + - rds-logging-enabled + - rds-multi-az-support + - rds-resources-protected-by-backup-plan + - rds-snapshot-encrypted + - rds-storage-encrypted + - redshift-backup-enabled + - redshift-cluster-configuration-check + - redshift-cluster-kms-enabled + - redshift-cluster-public-access-check + - restricted-ssh + - s3-bucket-cross-region-replication-enabled + - s3-bucket-logging-enabled + - s3-bucket-replication-enabled + - s3-bucket-server-side-encryption-enabled + - s3-bucket-versioning-enabled + - s3-default-encryption-kms + - s3-resources-protected-by-backup-plan + - s3-version-lifecycle-policy-check + - sagemaker-endpoint-configuration-kms-key-configured + - sagemaker-notebook-instance-kms-key-configured + - sagemaker-notebook-no-direct-internet-access + - secretsmanager-using-cmk + - securityhub-enabled + - sns-encrypted-kms + - subnet-auto-assign-public-ip-disabled + - vpc-default-security-group-closed + - vpc-flow-logs-enabled + - vpc-sg-open-only-to-authorized-ports + - vpc-vpn-2-tunnels-up + - wafv2-logging-enabled Operational-Best-Practices-for-FedRAMP-Low: - access-keys-rotated - acm-certificate-expiration-check diff --git a/managed_rules_locals.tf b/managed_rules_locals.tf index da0e58f..44fdda2 100644 --- a/managed_rules_locals.tf +++ b/managed_rules_locals.tf @@ -214,6 +214,14 @@ locals { severity = "Medium" } + aurora-resources-in-logically-air-gapped-vault = { + description = "Checks if Amazon Aurora DB clusters are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon Aurora DB cluster is not in a logically air-gapped vault within the specified time period." + identifier = "AURORA_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.aurora_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + aurora-resources-protected-by-backup-plan = { description = "Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan." identifier = "AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -659,14 +667,14 @@ locals { description = "Checks if Amazon EventBridge custom event buses have a resource-based policy attached. The rule is NON_COMPLIANT if a custom event bus policy does not have an attached resource-based policy." identifier = "CUSTOM_EVENTBUS_POLICY_ATTACHED" resource_types_scope = ["AWS::Events::EventBus"] - severity = "Medium" + severity = "Low" } custom-schema-registry-policy-attached = { description = "Checks if custom Amazon EventBridge schema registries have a resource policy attached. The rule is NON_COMPLIANT for custom schema registries without a resource policy attached." identifier = "CUSTOM_SCHEMA_REGISTRY_POLICY_ATTACHED" resource_types_scope = ["AWS::EventSchemas::Registry"] - severity = "Low" + severity = "Medium" } cw-loggroup-retention-period-check = { @@ -921,6 +929,14 @@ locals { severity = "Low" } + ebs-resources-in-logically-air-gapped-vault = { + description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EBS volume is not in a logically air-gapped vault within the specified time period." + identifier = "EBS_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.ebs_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::EC2::Volume"] + severity = "Medium" + } + ebs-resources-protected-by-backup-plan = { description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan." identifier = "EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -1083,6 +1099,14 @@ locals { severity = "Medium" } + ec2-resources-in-logically-air-gapped-vault = { + description = "Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EC2 instance is not in a logically air-gapped vault within the specified time period." + identifier = "EC2_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.ec2_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::EC2::Instance"] + severity = "Medium" + } + ec2-resources-protected-by-backup-plan = { description = "Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EC2 instance is not covered by a backup plan." identifier = "EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -1230,7 +1254,7 @@ locals { } ecs-task-definition-user-for-host-mode-check = { - description = "Checks for unauthorized permissions in your latest active Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode set to host. The rule is NON_COMPLIANT for task definitions with NetworkMode set to host, and container..." + description = "Checks if Amazon ECS task definitions with host network mode have privileged OR nonroot in the container definition. The rule is NON_COMPLIANT if the latest active revision of a task definition has privileged=false (or is null) AND user=root (or is null)." identifier = "ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK" input_parameters = var.ecs_task_definition_user_for_host_mode_check_parameters resource_types_scope = ["AWS::ECS::TaskDefinition"] @@ -1298,6 +1322,14 @@ locals { severity = "Medium" } + efs-resources-in-logically-air-gapped-vault = { + description = "Checks if Amazon Elastic File System (Amazon EFS) File Systems are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EFS File System is not in a logically air-gapped vault within the specified time period." + identifier = "EFS_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.efs_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::EFS::FileSystem"] + severity = "Medium" + } + efs-resources-protected-by-backup-plan = { description = "Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the EFS File System is not covered by a backup plan." identifier = "EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -2771,6 +2803,14 @@ locals { severity = "Medium" } + s3-resources-in-logically-air-gapped-vault = { + description = "Checks if Amazon Simple Storage Service (Amazon S3) buckets are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon S3 bucket is not in a logically air-gapped vault within the specified time period." + identifier = "S3_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.s3_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::S3::Bucket"] + severity = "Medium" + } + s3-resources-protected-by-backup-plan = { description = "Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon S3 bucket is not covered by a backup plan." identifier = "S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -2888,7 +2928,7 @@ locals { description = "Checks if AWS Service Catalog shares portfolios to an organization (a collection of AWS accounts treated as a single unit) when integration is enabled with AWS Organizations. The rule is NON_COMPLIANT if the Type value of a share is ACCOUNT ." identifier = "SERVICE_CATALOG_SHARED_WITHIN_ORGANIZATION" resource_types_scope = ["AWS::ServiceCatalog::Portfolio"] - severity = "Medium" + severity = "High" } service-vpc-endpoint-enabled = { @@ -2956,6 +2996,14 @@ locals { severity = "High" } + storagegateway-resources-in-logically-air-gapped-vault = { + description = "Checks if AWS Storage Gateway volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an AWS Storage Gateway volume is not in a logically air-gapped vault within the specified time period." + identifier = "STORAGEGATEWAY_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.storagegateway_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::StorageGateway::Volume"] + severity = "Medium" + } + storagegateway-resources-protected-by-backup-plan = { description = "Checks if AWS Storage Gateway volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Storage Gateway volume is not covered by a backup plan." identifier = "STORAGEGATEWAY_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -2986,6 +3034,14 @@ locals { severity = "High" } + virtualmachine-resources-in-logically-air-gapped-vault = { + description = "Checks if AWS Backup-Gateway VirtualMachines are in a logically air-gapped vault. The rule is NON_COMPLIANT if an AWS Backup-Gateway VirtualMachines is not in a logically air-gapped vault within the specified time period." + identifier = "VIRTUALMACHINE_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT" + input_parameters = var.virtualmachine_resources_in_logically_air_gapped_vault_parameters + resource_types_scope = ["AWS::BackupGateway::VirtualMachine"] + severity = "Medium" + } + virtualmachine-resources-protected-by-backup-plan = { description = "Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan. The rule is NON_COMPLIANT if the Backup-Gateway VirtualMachine is not covered by a backup plan." identifier = "VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN" diff --git a/managed_rules_variables.tf b/managed_rules_variables.tf index db087f2..8f94d19 100644 --- a/managed_rules_variables.tf +++ b/managed_rules_variables.tf @@ -171,6 +171,21 @@ variable "aurora_mysql_backtracking_enabled_parameters" { default = {} } +variable "aurora_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the aurora-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "aurora_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the aurora-resources-protected-by-backup-plan rule." type = object({ @@ -575,6 +590,21 @@ variable "ebs_meets_restore_time_target_parameters" { default = {} } +variable "ebs_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the ebs-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "ebs_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the ebs-resources-protected-by-backup-plan rule." type = object({ @@ -676,6 +706,21 @@ variable "ec2_meets_restore_time_target_parameters" { default = {} } +variable "ec2_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the ec2-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "ec2_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the ec2-resources-protected-by-backup-plan rule." type = object({ @@ -792,6 +837,21 @@ variable "efs_meets_restore_time_target_parameters" { default = {} } +variable "efs_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the efs-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "efs_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the efs-resources-protected-by-backup-plan rule." type = object({ @@ -1715,6 +1775,21 @@ variable "s3_meets_restore_time_target_parameters" { default = {} } +variable "s3_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the s3-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "s3_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the s3-resources-protected-by-backup-plan rule." type = object({ @@ -1834,6 +1909,21 @@ variable "storagegateway_last_backup_recovery_point_created_parameters" { } +variable "storagegateway_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the storagegateway-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "storagegateway_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the storagegateway-resources-protected-by-backup-plan rule." type = object({ @@ -1863,6 +1953,21 @@ variable "virtualmachine_last_backup_recovery_point_created_parameters" { } +variable "virtualmachine_resources_in_logically_air_gapped_vault_parameters" { + description = "Input parameters for the virtualmachine-resources-in-logically-air-gapped-vault rule." + type = object({ + recoveryPointAgeUnit = optional(string, "days") + recoveryPointAgeValue = optional(number, 1) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = { + recoveryPointAgeUnit = "days" + recoveryPointAgeValue = 1 + } + +} + variable "virtualmachine_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the virtualmachine-resources-protected-by-backup-plan rule." type = object({