AWS Policy Index

How to Use this Page

This page lists the AWS Policies that Bridgecrew helps you enforce, grouped by category. You can browse this page, search for a specific policy ID or jump to one of the categories from the list below or from the right menu. For each policy, press the link for more details about a policy and its remediation options.

Click a category to jump that section on this page.

General

Ensure EC2 Instances have Tags
Violation ID: BC_AWS_GENERAL_1

EBS Volume Check
Violation ID: BC_AWS_GENERAL_2

Encrypt EBS Volume
Violation ID: BC_AWS_GENERAL_3

Enable RDS Instance Encryption
Violation ID: BC_AWS_GENERAL_4

Set CloudFront Distribution to HTTPS
Violation ID: BC_AWS_GENERAL_5

Enable DynamoDB Point-in-time Recovery
Violation ID: BC_AWS_GENERAL_6

Encrypt EBS Snapshot Data
Violation ID: BC_AWS_GENERAL_7

Enable ECR Image Scan on Push
Violation ID: BC_AWS_GENERAL_8

Encrypt Elasticach Replication Group Data at Rest
Violation ID: BC_AWS_GENERAL_9

Encrypt Elasticach Replication Group Data at Transit
Violation ID: BC_AWS_GENERAL_10

Encrypt Elasticach Replication Group Data at Transit with Authentication Token
Violation ID: BC_AWS_GENERAL_11

Encrypt Launch Configuration EBS Data
Violation ID: BC_AWS_GENERAL_13

Encrypt Sagemaker Data at Rest
Violation ID: BC_AWS_GENERAL_14

Encrypt SNS Topic Data
Violation ID: BC_AWS_GENERAL_15

Encrypt SQS Queue Data
Violation ID: BC_AWS_GENERAL_16

Encrypt Elastic File System
Violation ID: BC_AWS_GENERAL_17

Encrypt Neptune Storage
Violation ID: BC_AWS_GENERAL_18

Delete unused Network Interfaces
Violation ID: BC_AWS_GENERAL_20

Ensure Kinesis Stream is Securely Encrypted at Rest
Violation ID: BC_AWS_GENERAL_22

Ensure Dax is Securely Encrypted at Rest
Violation ID: BC_AWS_GENERAL_23

Ensure ECR Image Tags are Immutable
Violation ID: BC_AWS_GENERAL_24

Route 53 DNS Service Modification Detected
Violation ID: BC_AWS_ALERT_2

IAM

Avoid Account Root User
Violation ID: BC_AWS_IAM_1

MFA Enabled for IAM Users
Violation ID: BC_AWS_IAM_2

Disable Credentials Unused for 90 Days
Violation ID: BC_AWS_IAM_3

Access Key Rotation
Violation ID: BC_AWS_IAM_4

IAM Password Policy - Uppercase Letter
Violation ID: BC_AWS_IAM_5

IAM Password Policy - Lowercase Letter
Violation ID: BC_AWS_IAM_6

IAM Password Policy - Symbols
Violation ID: BC_AWS_IAM_7

IAM Password Policy - Numbers
Violation ID: BC_AWS_IAM_8

IAM Password Policy - Minimum Length
Violation ID: BC_AWS_IAM_9

IAM Password Policy - No Reuse
Violation ID: BC_AWS_IAM_10

IAM Password Policy - 90 Days
Violation ID: BC_AWS_IAM_11

Avoid Root Account Access Key
Violation ID: BC_AWS_IAM_12

Enable MFA for Root Account
Violation ID: BC_AWS_IAM_13

Enable Root Account Hardware MFA
Violation ID: BC_AWS_IAM_14

Security Questions Registered
Violation ID: BC_AWS_IAM_15

IAM Policy Privileges
Violation ID: BC_AWS_IAM_16

Enable Detailed Billing
Violation ID: BC_AWS_IAM_17

Maintain Contact Details
Violation ID: BC_AWS_IAM_18

Security Contact Information Registered
Violation ID: BC_AWS_IAM_19

AWS Resource Access
Violation ID: BC_AWS_IAM_20

AWS Support Role
Violation ID: BC_AWS_IAM_21

Access Key Check
Violation ID: BC_AWS_IAM_22

Full Admin Privileges Check
Violation ID: BC_AWS_IAM_23

Rotate Access Keys - 30 Days
Violation ID: BC_AWS_IAM_24

Rotate Access Keys - 45 Days
Violation ID: BC_AWS_IAM_25

Access Key Inactivity - 90 Days
Violation ID: BC_AWS_IAM_29

User Inactivity - 30 Days
Violation ID: BC_AWS_IAM_30

Remove Unused Roles
Violation ID: BC_AWS_IAM_34

Remove Unused User
Violation ID: BC_AWS_IAM_35

Remove Unused Admin Role
Violation ID: BC_AWS_IAM_36

Remove Unused Admin User
Violation ID: BC_AWS_IAM_37

Remove Empty Groups
Violation ID: BC_AWS_IAM_38

XRemove Unattached Policies
Violation ID: BC_AWS_IAM_39

Detach Policies Unused by User
Violation ID: BC_AWS_IAM_40

Detach Policies Unused by Role
Violation ID: BC_AWS_IAM_41

Detach Policies Unused by Group
Violation ID: BC_AWS_IAM_42

No Policies Allow "*"
Violation ID: BC_AWS_IAM_43

Ensure IAM Role Assumes Specific Services and Principals
Violation ID: BC_AWS_IAM_44

Ensure IAM Role Assumes Specific Principals in Account
Violation ID: BC_AWS_IAM_45

IAM Modification Detected
Violation ID: BC_AWS_ALERT_5

Kubernetes

Amazon EKS Public Endpoint Not Accessible to 0.0.0.0/0
Violation ID: BC_AWS_KUBERNETES_1

Amazon EKS Public Endpoint Disabled
Violation ID: BC_AWS_KUBERNETES_2

Enable EKS Cluster Secrets Encryption
Violation ID: BC_AWS_KUBERNETES_3

Enable Amazon EKS Logging
Violation ID: BC_AWS_KUBERNETES_4

Logging

Enable CloudTrail - Regions
Violation ID: BC_AWS_LOGGING_1

Enable CloudTrail Log File Validation
Violation ID: BC_AWS_LOGGING_2

CloudTrail Log Not Public
Violation ID: BC_AWS_LOGGING_3

Integrate Cloud Trails and Watch Logs
Violation ID: BC_AWS_LOGGING_4

Enable AWS Config - Regions
Violation ID: BC_AWS_LOGGING_5

Enable CloudTrail S3 Bucket Access Logging
Violation ID: BC_AWS_LOGGING_6

Encrypt CloudTrail Logs at Rest
Violation ID: BC_AWS_LOGGING_7

Enable CMK Rotation
Violation ID: BC_AWS_LOGGING_8

Enable VPC Flow Logging
Violation ID: BC_AWS_LOGGING_9

Enable MQ Broker Logging
Violation ID: BC_AWS_LOGGING_10

Container Insights Enabled
Violation ID: BC_AWS_LOGGING_11

Networking

Port Security 0.0.0.0:0 to 22
Violation ID: BC_AWS_NETWORKING_1

Port Security 0.0.0.0:0 to 3389
Violation ID: BC_AWS_NETWORKING_2

Restrict VPC Traffic
Violation ID: BC_AWS_NETWORKING_4

VPC Peering Routing Tables "Least Access"
Violation ID: BC_AWS_NETWORKING_5

EC2 Instance Security
Violation ID: BC_AWS_NETWORKING_6

Do Not Expose AWS VPC Endpoints
Violation ID: BC_AWS_NETWORKING_9

Restrict Security Group
Violation ID: BC_AWS_NETWORKING_10

Security Group Traffic Limited to Ports 80 and 443
Violation ID: BC_AWS_NETWORKING_11

Restrict Security Group Attached to EC2
Violation ID: BC_AWS_NETWORKING_12

Restrict Security Group Attached to RDS Database
Violation ID: BC_AWS_NETWORKING_13

Restrict Security Group Attached to Network Interface
Violation ID: BC_AWS_NETWORKING_14

Restrict Security Group Access to Classical Load Balancer
Violation ID: BC_AWS_NETWORKING_15

Restrict Security Group Access to Application Load Balancer
Violation ID: BC_AWS_NETWORKING_16

Restrict EC2 Security Group Inbound Traffic to TCP Port 9300
Violation ID: BC_AWS_NETWORKING_17

Restrict EC2 Security Group Inbound Traffic to TCP Port 5601
Violation ID: BC_AWS_NETWORKING_18

Restrict EC2 Security Group Inbound Traffic to TCP Port 6379
Violation ID: BC_AWS_NETWORKING_19

Restrict EC2 Security Group Inbound Traffic to TCP Port 2379
Violation ID: BC_AWS_NETWORKING_20

Restrict EC2 Security Group Inbound Traffic to TCP Port 27017
Violation ID: BC_AWS_NETWORKING_21

Restrict EC2 Security Group Inbound Traffic to TCP Port 27018
Violation ID: BC_AWS_NETWORKING_22

Restrict Elastic Load Balancer Security Group Inbound Traffic to TCP Port 27017
Violation ID: BC_AWS_NETWORKING_23

Restrict Elastic Load Balancer Security Group Inbound Traffic to TCP Port 27018
Violation ID: BC_AWS_NETWORKING_24

Restrict Application Load Balancer Security Group Inbound Traffic to TCP Port 27017
Violation ID: BC_AWS_NETWORKING_25

Restrict Application Load Balancer Security Group Inbound Traffic to TCP Port 27018
Violation ID: BC_AWS_NETWORKING_26

Configure VPC Settings
Violation ID: BC_AWS_NETWORKING_27

Whitelist Internet-facing ELB
Violation ID: BC_AWS_NETWORKING_28

Set ALB to HTTPS
Violation ID: BC_AWS_NETWORKING_29

Ensure Security Group Rule Description
Violation ID: BC_AWS_NETWORKING_31

Set CloudFront Distribution ViewerProtocolPolicy to HTTPS
Violation ID: BC_AWS_NETWORKING_32

Ensure CloudFront Distributions Do Not Use Deprecated SSL Protocols
Violation ID: BC_AWS_NETWORKING_33

Ensure Elastic Load Balancers do Not Allow Insecure SSL Ciphers
Violation ID: BC_AWS_NETWORKING_34

Security Group Modification Detected
Violation ID: BC_AWS_ALERT_3

Public

ECR Repositories not Public
Violation ID: BC_AWS_PUBLIC_1

RDS Instances Not Publicly Accessible
Violation ID: BC_AWS_PUBLIC_2

Elasticsearch Domain Disallows Open Access
Violation ID: BC_AWS_PUBLIC_3

SQS Queue Not Public
Violation ID: BC_AWS_PUBLIC_4

SNS Topic not Public
Violation ID: BC_AWS_PUBLIC_5

API Gateway Authorizer Set
Violation ID: BC_AWS_PUBLIC_6

Elasticsearch

Enable EncryptionAtRest
Violation ID: BC_AWS_ELASTICSEARCH_3

Enable Elasticsearch None-to-node Encryption
Violation ID: BC_AWS_ELASTICSEARCH_5

Enable Elasticsearch Domain EnforceHTTPS
Violation ID: BC_AWS_ELASTICSEARCH_6

Monitoring

Log Metric Filter and Alarm - Unauthorized API Calls
Violation ID: BC_AWS_MONITORING_1

Log Metric Filter and Alarm - Console Sign-in, no MFA
Violation ID: BC_AWS_MONITORING_2

Log Metric Filter and Alarm - Root Account Usage
Violation ID: BC_AWS_MONITORING_3

Log Metric Filter and Alarm - IAM Policy Changes
Violation ID: BC_AWS_MONITORING_4

Log Metric Filter and Alarm - CloudTrain Config Changes
Violation ID: BC_AWS_MONITORING_5

Log Metric Filter and Alarm - AWS Console Authentication Failures
Violation ID: BC_AWS_MONITORING_6

Log Metric Filter and Alarm - Customer Created CMKs
Violation ID: BC_AWS_MONITORING_7

Log Metric Filter and Alarm - S3 Bucket Policy Changes
Violation ID: BC_AWS_MONITORING_8

Log Metric Filter and Alarm - AWS Config Changes
Violation ID: BC_AWS_MONITORING_9

Log Metric Filter and Alarm - Security Group Changes
Violation ID: BC_AWS_MONITORING_10

Log Metric Filter and Alarm - Changes to NACL
Violation ID: BC_AWS_MONITORING_11

Log Metric Filter and Alarm - Change to Network Gateway
Violation ID: BC_AWS_MONITORING_12

Log Metric Filter and Alarm - Change to Route Table
Violation ID: BC_AWS_MONITORING_13

Log Metric Filter and Alarm - Change to VPC
Violation ID: BC_AWS_MONITORING_14

S3

S3 Bucket ACL Read Permission - Everyone
Violation ID: BC_AWS_S3_1

S3 Bucket ACL Write Permission - Everyone
Violation ID: BC_AWS_S3_2

S3 Bucket ACL Read Permission - Everyone
Violation ID: BC_AWS_S3_3

S3 Bucket ACL Write Permission - Everyone
Violation ID: BC_AWS_S3_4

S3 Bucket ACL Full Control - Everyone
Violation ID: BC_AWS_S3_5

S3 Bucket ACL Read Permission - AWS
Violation ID: BC_AWS_S3_6

S3 Bucket ACL Write Permission - AWS
Violation ID: BC_AWS_S3_7

S3 Bucket ACL Read ACP Permission - AWS
Violation ID: BC_AWS_S3_8

S3 Bucket ACL Write ACP Permission - AWS
Violation ID: BC_AWS_S3_9

S3 Bucket ACL Full Control - AWS
Violation ID: BC_AWS_S3_10

S3 Bucket Allow Permission - Everyone
Violation ID: BC_AWS_S3_11

Enable S3 Bucket Logging
Violation ID: BC_AWS_S3_13

S3 Bucket Data Encrypted at Rest
Violation ID: BC_AWS_S3_14

Secure S3 Bucket Data Transport
Violation ID: BC_AWS_S3_15

Enable S3 Bucket Versioning
Violation ID: BC_AWS_S3_16

S3 Bucket Write Permissions - Public
Violation ID: BC_AWS_S3_18

Enable S3 Bucket Block Public ACLS
Violation ID: BC_AWS_S3_19

Enable S3 Bucket Block Public Policy
Violation ID: BC_AWS_S3_20

Enable S3 Bucket IgnorePublicAcls
Violation ID: BC_AWS_S3_21

Enable S3 Bucket RestrictPublicBucket
Violation ID: BC_AWS_S3_22

S3 Modification Detected
Violation ID: BC_AWS_ALERT_1

Secrets

No Secrets Exposed in ECS User Data
Violation ID: BC_AWS_SECRETS_1

No Secrets Exposed in CloudFormation Output
Violation ID: BC_AWS_SECRETS_2

No Secrets Exposed in Lambda Variables
Violation ID: BC_AWS_SECRETS_3

No Secrets Exposed in ECS Task Definition Variables
Violation ID: BC_AWS_SECRETS_4

Ensure AWS Access Key and Secret Key are Not Hard
Violation ID: BC_AWS_SECRETS_5

Serverless

Remove Lambda Admin Privileges
Violation ID: BC_AWS_SERVERLESS_1

Remove Lambda Cross-Account Access
Violation ID: BC_AWS_SERVERLESS_2

Serverless Lambda Modification Detected
Violation ID: BC_AWS_ALERT_4

Updated 22 days ago


AWS Policy Index


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.