General Policies

How to Use this Page

This page lists the AWS General Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Ensure EC2 instances have tags
Policy ID: BC_AWS_GENERAL_1

Ensure an unused EBS volume is attached to an instance
Policy ID: BC_AWS_GENERAL_2

Ensure AWS EBS volumes are encrypted
Policy ID: BC_AWS_GENERAL_3

Ensure AWS RDS DB cluster encryption is enabled
Policy ID: BC_AWS_GENERAL_4

Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
Policy ID: BC_AWS_GENERAL_5

Ensure DynamoDB PITR is enabled
Policy ID: BC_AWS_GENERAL_6

Ensure all data stored in the EBS snapshot is securely encrypted
Policy ID: BC_AWS_GENERAL_7

Ensure ECR image scan on push is enabled
Policy ID: BC_AWS_GENERAL_8

Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
Policy ID: BC_AWS_GENERAL_9

Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
Policy ID: BC_AWS_GENERAL_10

Ensure all data stored in the ElastiCache Replication Group is securely encrypted in-transit
Policy ID: BC_AWS_GENERAL_11

Ensure EBS volumes have encrypted launch configurations
Policy ID: BC_AWS_GENERAL_13

Ensure all data stored in SageMaker is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_14

Ensure AWS SNS topic has SSE enabled
Policy ID: BC_AWS_GENERAL_15

Ensure AWS SQS server side encryption is enabled
Policy ID: BC_AWS_GENERAL_16

Ensure AWS EFS with encryption for data at rest is enabled
Policy ID: BC_AWS_GENERAL_17

Ensure Neptune storage is securely encrypted
Policy ID: BC_AWS_GENERAL_18

Ensure all unused Elastic IPs are deleted
Policy ID: BC_AWS_GENERAL_19

Ensure unused network interfaces are deleted
Policy ID: BC_AWS_GENERAL_20

Ensure unused Elastic Load Balancers are deleted
Policy ID: BC_AWS_GENERAL_21

Ensure AWS Kinesis streams are encrypted using SSE
Policy ID: BC_AWS_GENERAL_22

Ensure DAX is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_23

Ensure ECR image tags are immutable
Policy ID: BC_AWS_GENERAL_24

Ensure AWS Redshift cluster is encrypted using CMKt
Policy ID: BC_AWS_GENERAL_25

Ensure AWS resources that support tags have Tags
Policy ID: BC_AWS_GENERAL_26

Ensure CloudFront distribution has WAF enabled
Policy ID: BC_AWS_GENERAL_27

Ensure DocumentDB is encrypted at rest
Policy ID: BC_AWS_GENERAL_28

Ensure Athena Database is encrypted at rest
Policy ID: BC_AWS_GENERAL_29

Ensure CodeBuild project encryption is not disabled
Policy ID: BC_AWS_GENERAL_30

Ensure Instance Metadata Service version 1 is not enabled
Policy ID: BC_AWS_GENERAL_31

Ensure MSK cluster encryption at rest and in transit is enabled
Policy ID: BC_AWS_GENERAL_32

Ensure Athena workgroup prevents disabling encryption
Policy ID: BC_AWS_GENERAL_33

Ensure instances with scheduled reboots are rescheduled or manually rebooted
Policy ID: BC_AWS_GENERAL_35

Ensure PGAudit is enabled on RDS Postgres instances
Policy ID: BC_AWS_GENERAL_36

Ensure Glue Data Catalog encryption is enabled
Policy ID: BC_AWS_GENERAL_37

Ensure all data stored in Aurora is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_38

Ensure EFS volumes in ECS task definitions have encryption in transit enabled
Policy ID: BC_AWS_GENERAL_39

Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
Policy ID: BC_AWS_GENERAL_40

Ensure AWS Glue security configuration encryption is enabled
Policy ID: BC_AWS_GENERAL_41

Ensure Neptune cluster instance is not publicly available
Policy ID: BC_AWS_GENERAL_42

Ensure AWS Load Balancer is using TLS 1.2
Policy ID: BC_AWS_GENERAL_43

Ensure API gateway caching is enabled
Policy ID: BC_AWS_GENERAL_44

Ensure DynamoDB Tables have Auto Scaling enabled
Policy ID: BC_AWS_GENERAL_44

Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
Policy ID: BC_AWS_GENERAL_45

Ensure RDS instances have backup policy
Policy ID: BC_AWS_GENERAL_46

Ensure Redshift clusters have AWS Backup's backup plan
Policy ID: BC_AWS_GENERAL_47

Ensure Amazon EFS has an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_48

Ensure RDS clusters have an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_49

Ensure EBS has an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_50

Ensure KMS has a rotation policy
Policy ID: BC_AWS_GENERAL_51

Ensure DynamoDB tables are encrypted
Policy ID: BC_AWS_GENERAL_52

Ensure ECR repositories are encrypted
Policy ID: BC_AWS_GENERAL_53

Ensure RDS global clusters are encrypted
Policy ID: BC_AWS_GENERAL_54

Ensure Redshift cluster is encrypted by KMS
Policy ID: BC_AWS_GENERAL_55

Ensure S3 buckets are encrypted with KMS by default
Policy ID: BC_AWS_GENERAL_56

Ensure CodeBuild projects are encrypted
Policy ID: BC_AWS_GENERAL_57

Ensure Secret Manager secret is encrypted using KMS
Policy ID: BC_AWS_GENERAL_58

Ensure RDS database cluster snapshot is encrypted
Policy ID: BC_AWS_GENERAL_59

Ensure only encrypted EBS volumes are attached to EC2 instances
Policy ID: BC_AWS_GENERAL_60

Ensure load balancer has deletion protection enabled
Policy ID: BC_AWS_GENERAL_61

Ensure that AWS EMR clusters have Kerberos enabled
Policy ID: BC_AWS_GENERAL_62

Ensure AWS Lambda function is configured for function-level concurrent execution limit
Policy ID: BC_AWS_GENERAL_63

Ensure AWS Lambda function is configured for a DLQ
Policy ID: BC_AWS_GENERAL_64

Ensure AWS Lambda function is configured inside a VPC
Policy ID: BC_AWS_GENERAL_65

Ensure GuardDuty is enbaled to specific org/region
Policy ID: BC_AWS_GENERAL_66

Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
Policy ID: BC_AWS_GENERAL_67

Ensure EC2 is EBS optimized
Policy ID: BC_AWS_GENERAL_68

Ensure RDS clusters and instances have deletion protection enabled
Policy ID: BC_AWS_GENERAL_69

Ensure Redshift cluster allow version upgrade by default
Policy ID: BC_AWS_GENERAL_70

Ensure S3 bucket has lock configuration enabled by default
Policy ID: BC_AWS_GENERAL_71

Ensure S3 bucket has cross-region replication enabled
Policy ID: BC_AWS_GENERAL_72

Ensure RDS instances have Multi-AZ enabled
Policy ID: BC_AWS_GENERAL_73

Ensure DocDB has audit logs enabled
Policy ID: BC_AWS_GENERAL_74

Ensure Redshift uses SSL
Policy ID: BC_AWS_GENERAL_75

Ensure Session Manager data is encrypted in transit
Policy ID: BC_AWS_GENERAL_76

Ensure that RDS database cluster snapshot is encrypted
Policy ID: BC_AWS_GENERAL_77

Ensure that CodeBuild projects are encrypted
Policy ID: BC_AWS_GENERAL_78

Ensure that Secrets Manager secret is encrypted using KMS
Policy ID: BC_AWS_GENERAL_79

Ensure that Load Balancer has deletion protection enabled
Policy ID: BC_AWS_GENERAL_80

Ensure EBS default encryption is enabled
Policy ID: BC_AWS_GENERAL_81

Autoscaling groups should supply tags to launch configurations
Policy ID: BC_AWS_GENERAL_82

Ensure that Workspace user volumes are encrypted
Policy ID: BC_AWS_GENERAL_83

Ensure that Workspace root volumes are encrypted
Policy ID: BC_AWS_GENERAL_84

Ensure that CloudWatch Log Group is encrypted by KMS
Policy ID: BC_AWS_GENERAL_85

Ensure that Athena Workgroup is encrypted
Policy ID: BC_AWS_GENERAL_86

Ensure that Timestream database is encrypted with KMS CMK
Policy ID: BC_AWS_GENERAL_87

Ensure Dynamodb point in time recovery is enabled for global tables
Policy ID: BC_AWS_GENERAL_88

Ensure Backup Vault is encrypted at rest using KMS CMK
Policy ID: BC_AWS_GENERAL_89

Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_90

Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_91

Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_92

Ensure QLDB ledger permissions mode is set to STANDARD
Policy ID: BC_AWS_GENERAL_93

Ensure EMR Cluster security configuration encryption uses SSE-KMS
Policy ID: BC_AWS_GENERAL_94

Ensure Route53 A Record has an attached resource
Policy ID: BC_AWS_GENERAL_95

Ensure Route53 A Record has an attached resource
Policy ID: BC_AWS_GENERAL_96

Ensure Route 53 DNS service modifications are detected
Policy ID: BC_AWS_ALERT_2

Ensure provisioned resources are not manually modified
Policy ID: BC_AWS_DRIFT_1

Ensure Glue component has a security configuration associated
Policy ID: BC_AWS_GENERAL_112