Policy Overview¶
Cloudrift ships with 49 built-in OPA policies covering security, tagging, and cost optimization across 13 AWS resource types.
Summary¶
| ID | Policy Name | Severity | Category | Frameworks |
|---|---|---|---|---|
| S3-001 | S3 Encryption Required | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| S3-002 | S3 KMS Encryption Recommended | LOW | security | HIPAA, PCI DSS, SOC 2 |
| S3-003 | S3 Block Public ACLs | HIGH | security | HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2 |
| S3-004 | S3 Block Public Policy | HIGH | security | HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2 |
| S3-005 | S3 Ignore Public ACLs | HIGH | security | HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2 |
| S3-006 | S3 Restrict Public Buckets | HIGH | security | HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2 |
| S3-007 | S3 No Public Read ACL | CRITICAL | security | HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2 |
| S3-008 | S3 No Public Read-Write ACL | CRITICAL | security | HIPAA, GDPR, PCI DSS, ISO 27001, SOC 2 |
| S3-009 | S3 Versioning Recommended | MEDIUM | security | ISO 27001, SOC 2 |
| EC2-001 | EC2 IMDSv2 Required | MEDIUM | security | PCI DSS, ISO 27001, SOC 2 |
| EC2-002 | EC2 Root Volume Encryption | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| EC2-003 | EC2 Public IP Warning | MEDIUM | security | PCI DSS, ISO 27001, SOC 2 |
| EC2-005 | EC2 Large Instance Review | MEDIUM | cost | — |
| SG-001 | No Unrestricted SSH Access | CRITICAL | security | PCI DSS, ISO 27001, SOC 2 |
| SG-002 | No Unrestricted RDP Access | CRITICAL | security | PCI DSS, ISO 27001, SOC 2 |
| SG-003 | No Unrestricted All Ports Access | CRITICAL | security | PCI DSS, ISO 27001, SOC 2 |
| SG-004 | Database Port Public Exposure | HIGH | security | HIPAA, PCI DSS, ISO 27001, SOC 2 |
| RDS-001 | RDS Storage Encryption Required | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| RDS-002 | RDS No Public Access | CRITICAL | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| RDS-003 | RDS Backup Retention Period | MEDIUM | security | HIPAA, ISO 27001, SOC 2 |
| RDS-004 | RDS Deletion Protection | MEDIUM | security | ISO 27001, SOC 2 |
| RDS-005 | RDS Multi-AZ Recommended | LOW | security | HIPAA, ISO 27001, SOC 2 |
| IAM-001 | No Wildcard IAM Actions | CRITICAL | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| IAM-002 | No Inline Policies on Users | MEDIUM | security | PCI DSS, ISO 27001, SOC 2 |
| IAM-003 | IAM Role Trust Too Broad | HIGH | security | PCI DSS, ISO 27001, SOC 2 |
| CT-001 | CloudTrail KMS Encryption | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| CT-002 | CloudTrail Log File Validation | MEDIUM | security | PCI DSS, ISO 27001, SOC 2 |
| CT-003 | CloudTrail Multi-Region | MEDIUM | security | HIPAA, PCI DSS, ISO 27001, SOC 2 |
| KMS-001 | KMS Key Rotation Enabled | HIGH | security | HIPAA, PCI DSS, ISO 27001, SOC 2 |
| KMS-002 | KMS Key Deletion Window | MEDIUM | security | ISO 27001, SOC 2 |
| ELB-001 | ALB Access Logging | MEDIUM | security | HIPAA, PCI DSS, ISO 27001, SOC 2 |
| ELB-002 | ALB HTTPS Listener Required | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| ELB-003 | ALB Deletion Protection | MEDIUM | security | ISO 27001, SOC 2 |
| EBS-001 | EBS Volume Encryption | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR, SOC 2 |
| EBS-002 | EBS Snapshot Encryption | HIGH | security | HIPAA, PCI DSS, ISO 27001, GDPR |
| LAMBDA-001 | Lambda Tracing Enabled | MEDIUM | security | SOC 2, ISO 27001 |
| LAMBDA-002 | Lambda VPC Configuration | MEDIUM | security | HIPAA, PCI DSS, ISO 27001 |
| LOG-001 | CloudWatch Log Group Encryption | MEDIUM | security | HIPAA, PCI DSS, GDPR, SOC 2 |
| LOG-002 | CloudWatch Log Retention | MEDIUM | security | HIPAA, GDPR, SOC 2, ISO 27001 |
| VPC-001 | Default Security Group Restrict All | HIGH | security | PCI DSS, ISO 27001, SOC 2 |
| VPC-002 | Subnet No Auto-Assign Public IP | MEDIUM | security | PCI DSS, ISO 27001 |
| SECRET-001 | Secrets Manager KMS Encryption | MEDIUM | security | HIPAA, PCI DSS, GDPR, SOC 2 |
| SECRET-002 | Secrets Rotation Enabled | MEDIUM | security | PCI DSS, ISO 27001, SOC 2 |
| TAG-001 | Environment Tag Required | MEDIUM | tagging | SOC 2 |
| TAG-002 | Owner Tag Recommended | LOW | tagging | — |
| TAG-003 | Project Tag Recommended | LOW | tagging | — |
| TAG-004 | Name Tag Recommended | LOW | tagging | — |
| COST-002 | Very Large Instance Size | LOW | cost | — |
| COST-003 | Previous Generation Instance | LOW | cost | — |
Severity Distribution¶
| Severity | Count | Description |
|---|---|---|
| CRITICAL | 7 | Immediate security risk, must fix |
| HIGH | 15 | Significant security concern |
| MEDIUM | 21 | Recommended improvement |
| LOW | 6 | Best practice advisory |
Resource Coverage¶
Policies are evaluated for these Terraform resource types:
aws_s3_bucket aws_instance aws_security_group aws_db_instance aws_iam_policy aws_iam_role aws_iam_user_policy aws_cloudtrail aws_kms_key aws_lb aws_lb_listener aws_ebs_volume aws_ebs_snapshot_copy aws_lambda_function aws_cloudwatch_log_group aws_default_security_group aws_subnet aws_secretsmanager_secret