General Policies
How to Use this Page
This page lists the AWS General Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.
Ensure EC2 instances have tags
Policy ID: BC_AWS_GENERAL_1
Ensure an unused EBS volume is attached to an instance
Policy ID: BC_AWS_GENERAL_2
Ensure AWS EBS volumes are encrypted
Policy ID: BC_AWS_GENERAL_3
Ensure AWS RDS DB cluster encryption is enabled
Policy ID: BC_AWS_GENERAL_4
Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
Policy ID: BC_AWS_GENERAL_5
Ensure DynamoDB PITR is enabled
Policy ID: BC_AWS_GENERAL_6
Ensure all data stored in the EBS snapshot is securely encrypted
Policy ID: BC_AWS_GENERAL_7
Ensure ECR image scan on push is enabled
Policy ID: BC_AWS_GENERAL_8
Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
Policy ID: BC_AWS_GENERAL_9
Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
Policy ID: BC_AWS_GENERAL_10
Ensure all data stored in the ElastiCache Replication Group is securely encrypted in-transit
Policy ID: BC_AWS_GENERAL_11
Ensure EBS volumes have encrypted launch configurations
Policy ID: BC_AWS_GENERAL_13
Ensure all data stored in SageMaker is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_14
Ensure AWS SNS topic has SSE enabled
Policy ID: BC_AWS_GENERAL_15
Ensure AWS SQS server side encryption is enabled
Policy ID: BC_AWS_GENERAL_16
Ensure AWS EFS with encryption for data at rest is enabled
Policy ID: BC_AWS_GENERAL_17
Ensure Neptune storage is securely encrypted
Policy ID: BC_AWS_GENERAL_18
Ensure all unused Elastic IPs are deleted
Policy ID: BC_AWS_GENERAL_19
Ensure unused network interfaces are deleted
Policy ID: BC_AWS_GENERAL_20
Ensure unused Elastic Load Balancers are deleted
Policy ID: BC_AWS_GENERAL_21
Ensure AWS Kinesis streams are encrypted using SSE
Policy ID: BC_AWS_GENERAL_22
Ensure DAX is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_23
Ensure ECR image tags are immutable
Policy ID: BC_AWS_GENERAL_24
Ensure AWS Redshift cluster is encrypted using CMKt
Policy ID: BC_AWS_GENERAL_25
Ensure AWS resources that support tags have Tags
Policy ID: BC_AWS_GENERAL_26
Ensure CloudFront distribution has WAF enabled
Policy ID: BC_AWS_GENERAL_27
Ensure DocumentDB is encrypted at rest
Policy ID: BC_AWS_GENERAL_28
Ensure Athena Database is encrypted at rest
Policy ID: BC_AWS_GENERAL_29
Ensure CodeBuild project encryption is not disabled
Policy ID: BC_AWS_GENERAL_30
Ensure Instance Metadata Service version 1 is not enabled
Policy ID: BC_AWS_GENERAL_31
Ensure MSK cluster encryption at rest and in transit is enabled
Policy ID: BC_AWS_GENERAL_32
Ensure Athena workgroup prevents disabling encryption
Policy ID: BC_AWS_GENERAL_33
Ensure instances with scheduled reboots are rescheduled or manually rebooted
Policy ID: BC_AWS_GENERAL_35
Ensure PGAudit is enabled on RDS Postgres instances
Policy ID: BC_AWS_GENERAL_36
Ensure Glue Data Catalog encryption is enabled
Policy ID: BC_AWS_GENERAL_37
Ensure all data stored in Aurora is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_38
Ensure EFS volumes in ECS task definitions have encryption in transit enabled
Policy ID: BC_AWS_GENERAL_39
Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
Policy ID: BC_AWS_GENERAL_40
Ensure AWS Glue security configuration encryption is enabled
Policy ID: BC_AWS_GENERAL_41
Ensure Neptune cluster instance is not publicly available
Policy ID: BC_AWS_GENERAL_42
Ensure AWS Load Balancer is using TLS 1.2
Policy ID: BC_AWS_GENERAL_43
Ensure API gateway caching is enabled
Policy ID: BC_AWS_GENERAL_44
Ensure DynamoDB Tables have Auto Scaling enabled
Policy ID: BC_AWS_GENERAL_44
Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
Policy ID: BC_AWS_GENERAL_45
Ensure RDS instances have backup policy
Policy ID: BC_AWS_GENERAL_46
Ensure Redshift clusters have AWS Backup's backup plan
Policy ID: BC_AWS_GENERAL_47
Ensure Amazon EFS has an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_48
Ensure RDS clusters have an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_49
Ensure EBS has an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_50
Ensure KMS has a rotation policy
Policy ID: BC_AWS_GENERAL_51
Ensure DynamoDB tables are encrypted
Policy ID: BC_AWS_GENERAL_52
Ensure ECR repositories are encrypted
Policy ID: BC_AWS_GENERAL_53
Ensure RDS global clusters are encrypted
Policy ID: BC_AWS_GENERAL_54
Ensure Redshift cluster is encrypted by KMS
Policy ID: BC_AWS_GENERAL_55
Ensure S3 buckets are encrypted with KMS by default
Policy ID: BC_AWS_GENERAL_56
Ensure CodeBuild projects are encrypted
Policy ID: BC_AWS_GENERAL_57
Ensure Secret Manager secret is encrypted using KMS
Policy ID: BC_AWS_GENERAL_58
Ensure RDS database cluster snapshot is encrypted
Policy ID: BC_AWS_GENERAL_59
Ensure only encrypted EBS volumes are attached to EC2 instances
Policy ID: BC_AWS_GENERAL_60
Ensure load balancer has deletion protection enabled
Policy ID: BC_AWS_GENERAL_61
Ensure that AWS EMR clusters have Kerberos enabled
Policy ID: BC_AWS_GENERAL_62
Ensure AWS Lambda function is configured for function-level concurrent execution limit
Policy ID: BC_AWS_GENERAL_63
Ensure AWS Lambda function is configured for a DLQ
Policy ID: BC_AWS_GENERAL_64
Ensure AWS Lambda function is configured inside a VPC
Policy ID: BC_AWS_GENERAL_65
Ensure GuardDuty is enbaled to specific org/region
Policy ID: BC_AWS_GENERAL_66
Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
Policy ID: BC_AWS_GENERAL_67
Ensure EC2 is EBS optimized
Policy ID: BC_AWS_GENERAL_68
Ensure RDS clusters and instances have deletion protection enabled
Policy ID: BC_AWS_GENERAL_69
Ensure Redshift cluster allow version upgrade by default
Policy ID: BC_AWS_GENERAL_70
Ensure S3 bucket has lock configuration enabled by default
Policy ID: BC_AWS_GENERAL_71
Ensure S3 bucket has cross-region replication enabled
Policy ID: BC_AWS_GENERAL_72
Ensure RDS instances have Multi-AZ enabled
Policy ID: BC_AWS_GENERAL_73
Ensure DocDB has audit logs enabled
Policy ID: BC_AWS_GENERAL_74
Ensure Redshift uses SSL
Policy ID: BC_AWS_GENERAL_75
Ensure Session Manager data is encrypted in transit
Policy ID: BC_AWS_GENERAL_76
Ensure that RDS database cluster snapshot is encrypted
Policy ID: BC_AWS_GENERAL_77
Ensure that CodeBuild projects are encrypted
Policy ID: BC_AWS_GENERAL_78
Ensure that Secrets Manager secret is encrypted using KMS
Policy ID: BC_AWS_GENERAL_79
Ensure that Load Balancer has deletion protection enabled
Policy ID: BC_AWS_GENERAL_80
Ensure EBS default encryption is enabled
Policy ID: BC_AWS_GENERAL_81
Autoscaling groups should supply tags to launch configurations
Policy ID: BC_AWS_GENERAL_82
Ensure that Workspace user volumes are encrypted
Policy ID: BC_AWS_GENERAL_83
Ensure that Workspace root volumes are encrypted
Policy ID: BC_AWS_GENERAL_84
Ensure that CloudWatch Log Group is encrypted by KMS
Policy ID: BC_AWS_GENERAL_85
Ensure that Athena Workgroup is encrypted
Policy ID: BC_AWS_GENERAL_86
Ensure that Timestream database is encrypted with KMS CMK
Policy ID: BC_AWS_GENERAL_87
Ensure Dynamodb point in time recovery is enabled for global tables
Policy ID: BC_AWS_GENERAL_88
Ensure Backup Vault is encrypted at rest using KMS CMK
Policy ID: BC_AWS_GENERAL_89
Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_90
Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_91
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_92
Ensure QLDB ledger permissions mode is set to STANDARD
Policy ID: BC_AWS_GENERAL_93
Ensure EMR Cluster security configuration encryption uses SSE-KMS
Policy ID: BC_AWS_GENERAL_94
Ensure Route53 A Record has an attached resource
Policy ID: BC_AWS_GENERAL_95
Ensure Route53 A Record has an attached resource
Policy ID: BC_AWS_GENERAL_96
Ensure Route 53 DNS service modifications are detected
Policy ID: BC_AWS_ALERT_2
Ensure provisioned resources are not manually modified
Policy ID: BC_AWS_DRIFT_1
Ensure Glue component has a security configuration associated
Policy ID: BC_AWS_GENERAL_112
Updated 9 months ago