Best practices for AWS

org.openrewrite.terraform.aws.AWSBestPractices
Securely operate on Amazon Web Services.
Tags
terraform
AWS
Source
​GitHub, Issue Tracker, Maven Central​
groupId: org.openrewrite.recipe
artifactId: rewrite-terraform
version: 2.0.4
Usage
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-terraform:2.0.4 in your build file or by running a shell command (in which case no build changes are needed):
Gradle
Gradle init script
Maven POM
Maven Command Line
1.Add the following to your build.gradle file:
build.gradle
plugins {
    id("org.openrewrite.rewrite") version("6.3.11")
}
​
rewrite {
    activeRecipe("org.openrewrite.terraform.aws.AWSBestPractices")
}
​
repositories {
    mavenCentral()
}
​
dependencies {
    rewrite("org.openrewrite.recipe:rewrite-terraform:2.0.4")
}
2.Run gradle rewriteRun to run the recipe.
1.Create a file named init.gradle in the root of your project.
init.gradle
initscript {
    repositories {
        maven { url "https://plugins.gradle.org/m2" }
    }
    dependencies { classpath("org.openrewrite:plugin:6.3.11") }
}
rootProject {
    plugins.apply(org.openrewrite.gradle.RewritePlugin)
    dependencies {
        rewrite("org.openrewrite.recipe:rewrite-terraform:2.0.4")
    }
    rewrite {
        activeRecipe("org.openrewrite.terraform.aws.AWSBestPractices")
    }
    afterEvaluate {
        if (repositories.isEmpty()) {
            repositories {
                mavenCentral()
            }
        }
    }
}
2.Run gradle --init-script init.gradle rewriteRun to run the recipe.
1.Add the following to your pom.xml file:
pom.xml
<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.openrewrite.maven</groupId>
        <artifactId>rewrite-maven-plugin</artifactId>
        <version>5.5.2</version>
        <configuration>
          <activeRecipes>
            <recipe>org.openrewrite.terraform.aws.AWSBestPractices</recipe>
          </activeRecipes>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.openrewrite.recipe</groupId>
            <artifactId>rewrite-terraform</artifactId>
            <version>2.0.4</version>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>
</project>
2.Run mvn rewrite:run to run the recipe.
shell
mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
  -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-terraform:RELEASE \
  -Drewrite.activeRecipes=org.openrewrite.terraform.aws.AWSBestPractices
Definition
Recipe List
Yaml Recipe List
​Encrypt EBS volumes​
​Encrypt EBS snapshots​
​Ensure AWS Elasticsearch domain encryption for data at rest is enabled​
​Ensure AWS Elasticsearch has node-to-node encryption enabled​
​Ensure AWS CMK rotation is enabled​
​Encrypt EBS volume launch configurations​
​Ensure IAM password policy expires passwords within 90 days or less​
​Ensure AWS IAM password policy has a minimum of 14 characters​
​Ensure IAM password policy requires at least one lowercase letter​
​Ensure IAM password policy requires at least one number​
​Ensure IAM password policy prevents password reuse​
​Ensure IAM password policy requires at least one symbol​
​Ensure IAM password policy requires at least one uppercase letter​
​Encrypt RDS clusters​
​Ensure AWS RDS database instance is not publicly accessible​
​Ensure data stored in an S3 bucket is securely encrypted at rest​
​Ensure AWS S3 object versioning is enabled​
​Enable point-in-time recovery for DynamoDB​
​Encrypt ElastiCache Redis at rest​
​Encrypt ElastiCache Redis in transit​
​Scan images pushed to ECR​
​Use HTTPS for Cloudfront distribution​
​Ensure CloudTrail log file validation is enabled​
​Ensure Amazon EKS control plane logging enabled for all log types​
​Ensure AWS EKS cluster endpoint access is publicly disabled​
​Ensure AWS EFS with encryption for data at rest is enabled​
​Ensure Kinesis Stream is securely encrypted​
​Encrypt Neptune storage​
​Encrypt DAX storage at rest​
​Ensure AWS Lambda functions have tracing enabled​
​Make ECR tags immutable​
​Encrypt Redshift storage at rest​
​Encrypt DocumentDB storage​
​Disable Instance Metadata Service version 1​
​Ensure AWS Elasticsearch domains have EnforceHTTPS enabled​
​Encrypt Aurora clusters​
​Encrypt EFS Volumes in ECS Task Definitions in transit​
​Ensure AWS Lambda function is configured for function-level concurrent execution limit​
​Ensure enhanced monitoring for Amazon RDS instances is enabled​
​Enable API gateway caching​
​Ensure detailed monitoring for EC2 instances is enabled​
​Ensure respective logs of Amazon RDS are enabled​
​Ensure VPC subnets do not assign public IP by default​
​Ensure EC2 is EBS optimized​
​Ensure ECR repositories are encrypted​
​Encrypt CodeBuild projects​
​Ensure RDS instances have Multi-AZ enabled​
​Ensure RDS database has IAM authentication enabled​
---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.terraform.aws.AWSBestPractices
displayName: Best practices for AWS
description: Securely operate on Amazon Web Services.
tags:
  - terraform
  - AWS
recipeList:
  - org.openrewrite.terraform.aws.EncryptEBSVolumes
  - org.openrewrite.terraform.aws.EncryptEBSSnapshots
  - org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainEncryptionForDataAtRestIsEnabled
  - org.openrewrite.terraform.aws.EnsureAWSElasticsearchHasNodeToNodeEncryptionEnabled
  - org.openrewrite.terraform.aws.EnsureAWSCMKRotationIsEnabled
  - org.openrewrite.terraform.aws.EncryptEBSVolumeLaunchConfiguration
  - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyExpiresPasswordsWithin90DaysOrLess
  - org.openrewrite.terraform.aws.EnsureAWSIAMPasswordPolicyHasAMinimumOf14Characters
  - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneLowercaseLetter
  - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneNumber
  - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyPreventsPasswordReuse
  - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneSymbol
  - org.openrewrite.terraform.aws.EnsureIAMPasswordPolicyRequiresAtLeastOneUppercaseLetter
  - org.openrewrite.terraform.aws.EncryptRDSClusters
  - org.openrewrite.terraform.aws.EnsureAWSRDSDatabaseInstanceIsNotPubliclyAccessible
  - org.openrewrite.terraform.aws.EnsureDataStoredInAnS3BucketIsSecurelyEncryptedAtRest
  - org.openrewrite.terraform.aws.EnsureAWSS3ObjectVersioningIsEnabled
  - org.openrewrite.terraform.aws.EnableDynamoDbPITR
  - org.openrewrite.terraform.aws.EncryptElastiCacheRedisAtRest
  - org.openrewrite.terraform.aws.EncryptElastiCacheRedisInTransit
  - org.openrewrite.terraform.aws.EnableECRScanOnPush
  - org.openrewrite.terraform.aws.UseHttpsForCloudfrontDistribution
  - org.openrewrite.terraform.aws.EnsureCloudTrailLogFileValidationIsEnabled
  - org.openrewrite.terraform.aws.EnsureAmazonEKSControlPlaneLoggingEnabledForAllLogTypes
  - org.openrewrite.terraform.aws.EnsureAWSEKSClusterEndpointAccessIsPubliclyDisabled
  - org.openrewrite.terraform.aws.EnsureAWSEFSWithEncryptionForDataAtRestIsEnabled
  - org.openrewrite.terraform.aws.EnsureKinesisStreamIsSecurelyEncrypted
  - org.openrewrite.terraform.aws.EncryptNeptuneStorage
  - org.openrewrite.terraform.aws.EncryptDAXStorage
  - org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionsHaveTracingEnabled
  - org.openrewrite.terraform.aws.ImmutableECRTags
  - org.openrewrite.terraform.aws.EncryptRedshift
  - org.openrewrite.terraform.aws.EncryptDocumentDB
  - org.openrewrite.terraform.aws.DisableInstanceMetadataServiceV1
  - org.openrewrite.terraform.aws.EnsureAWSElasticsearchDomainsHaveEnforceHTTPSEnabled
  - org.openrewrite.terraform.aws.EncryptAuroraClusters
  - org.openrewrite.terraform.aws.EncryptEFSVolumesInECSTaskDefinitionsInTransit
  - org.openrewrite.terraform.aws.EnsureAWSLambdaFunctionIsConfiguredForFunctionLevelConcurrentExecutionLimit
  - org.openrewrite.terraform.aws.EnsureEnhancedMonitoringForAmazonRDSInstancesIsEnabled
  - org.openrewrite.terraform.aws.EnableApiGatewayCaching
  - org.openrewrite.terraform.aws.EnsureDetailedMonitoringForEC2InstancesIsEnabled
  - org.openrewrite.terraform.aws.EnsureRespectiveLogsOfAmazonRDSAreEnabled
  - org.openrewrite.terraform.aws.EnsureVPCSubnetsDoNotAssignPublicIPByDefault
  - org.openrewrite.terraform.aws.EnsureEC2IsEBSOptimized
  - org.openrewrite.terraform.aws.EnsureECRRepositoriesAreEncrypted
  - org.openrewrite.terraform.aws.EncryptCodeBuild
  - org.openrewrite.terraform.aws.EnsureRDSInstancesHaveMultiAZEnabled
  - org.openrewrite.terraform.aws.EnsureRDSDatabaseHasIAMAuthenticationEnabled
​
Contributors
​Jonathan Schneider​
​Aaron Gershman​
​pocan101​
​Kun Li​
​Knut Wannheden​
​Sam Snyder​
See how this recipe works across multiple open-source repositories
​​
​​
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.
AWS
Disable Instance Metadata Service version 1
Last modified 6d ago