PlatformResourcesSign inSign Up

General Policies

Suggest Edits

How to Use this Page

This page lists the AWS General Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Ensure EC2 instances have tags
Policy ID: BC_AWS_GENERAL_1

Ensure an unused EBS volume is attached to an instance
Policy ID: BC_AWS_GENERAL_2

Ensure AWS EBS volumes are encrypted
Policy ID: BC_AWS_GENERAL_3

Ensure AWS RDS DB cluster encryption is enabled
Policy ID: BC_AWS_GENERAL_4

Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
Policy ID: BC_AWS_GENERAL_5

Ensure DynamoDB PITR is enabled
Policy ID: BC_AWS_GENERAL_6

Ensure all data stored in the EBS snapshot is securely encrypted
Policy ID: BC_AWS_GENERAL_7

Ensure ECR image scan on push is enabled
Policy ID: BC_AWS_GENERAL_8

Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
Policy ID: BC_AWS_GENERAL_9

Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
Policy ID: BC_AWS_GENERAL_10

Ensure all data stored in the ElastiCache Replication Group is securely encrypted in-transit
Policy ID: BC_AWS_GENERAL_11

Ensure EBS volumes have encrypted launch configurations
Policy ID: BC_AWS_GENERAL_13

Ensure all data stored in SageMaker is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_14

Ensure AWS SNS topic has SSE enabled
Policy ID: BC_AWS_GENERAL_15

Ensure AWS SQS server side encryption is enabled
Policy ID: BC_AWS_GENERAL_16

Ensure AWS EFS with encryption for data at rest is enabled
Policy ID: BC_AWS_GENERAL_17

Ensure Neptune storage is securely encrypted
Policy ID: BC_AWS_GENERAL_18

Ensure all unused Elastic IPs are deleted
Policy ID: BC_AWS_GENERAL_19

Ensure unused network interfaces are deleted
Policy ID: BC_AWS_GENERAL_20

Ensure unused Elastic Load Balancers are deleted
Policy ID: BC_AWS_GENERAL_21

Ensure AWS Kinesis streams are encrypted using SSE
Policy ID: BC_AWS_GENERAL_22

Ensure DAX is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_23

Ensure ECR image tags are immutable
Policy ID: BC_AWS_GENERAL_24

Ensure AWS Redshift cluster is encrypted using CMKt
Policy ID: BC_AWS_GENERAL_25

Ensure AWS resources that support tags have Tags
Policy ID: BC_AWS_GENERAL_26

Ensure CloudFront distribution has WAF enabled
Policy ID: BC_AWS_GENERAL_27

Ensure DocumentDB is encrypted at rest
Policy ID: BC_AWS_GENERAL_28

Ensure Athena Database is encrypted at rest
Policy ID: BC_AWS_GENERAL_29

Ensure CodeBuild project encryption is not disabled
Policy ID: BC_AWS_GENERAL_30

Ensure Instance Metadata Service version 1 is not enabled
Policy ID: BC_AWS_GENERAL_31

Ensure MSK cluster encryption at rest and in transit is enabled
Policy ID: BC_AWS_GENERAL_32

Ensure Athena workgroup prevents disabling encryption
Policy ID: BC_AWS_GENERAL_33

Ensure instances with scheduled reboots are rescheduled or manually rebooted
Policy ID: BC_AWS_GENERAL_35

Ensure PGAudit is enabled on RDS Postgres instances
Policy ID: BC_AWS_GENERAL_36

Ensure Glue Data Catalog encryption is enabled
Policy ID: BC_AWS_GENERAL_37

Ensure all data stored in Aurora is securely encrypted at rest
Policy ID: BC_AWS_GENERAL_38

Ensure EFS volumes in ECS task definitions have encryption in transit enabled
Policy ID: BC_AWS_GENERAL_39

Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
Policy ID: BC_AWS_GENERAL_40

Ensure AWS Glue security configuration encryption is enabled
Policy ID: BC_AWS_GENERAL_41

Ensure Neptune cluster instance is not publicly available
Policy ID: BC_AWS_GENERAL_42

Ensure AWS Load Balancer is using TLS 1.2
Policy ID: BC_AWS_GENERAL_43

Ensure API gateway caching is enabled
Policy ID: BC_AWS_GENERAL_44

Ensure DynamoDB Tables have Auto Scaling enabled
Policy ID: BC_AWS_GENERAL_44

Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
Policy ID: BC_AWS_GENERAL_45

Ensure RDS instances have backup policy
Policy ID: BC_AWS_GENERAL_46

Ensure Redshift clusters have AWS Backup's backup plan
Policy ID: BC_AWS_GENERAL_47

Ensure Amazon EFS has an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_48

Ensure RDS clusters have an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_49

Ensure EBS has an AWS Backup backup plan
Policy ID: BC_AWS_GENERAL_50

Ensure KMS has a rotation policy
Policy ID: BC_AWS_GENERAL_51

Ensure DynamoDB tables are encrypted
Policy ID: BC_AWS_GENERAL_52

Ensure ECR repositories are encrypted
Policy ID: BC_AWS_GENERAL_53

Ensure RDS global clusters are encrypted
Policy ID: BC_AWS_GENERAL_54

Ensure Redshift cluster is encrypted by KMS
Policy ID: BC_AWS_GENERAL_55

Ensure S3 buckets are encrypted with KMS by default
Policy ID: BC_AWS_GENERAL_56

Ensure CodeBuild projects are encrypted
Policy ID: BC_AWS_GENERAL_57

Ensure Secret Manager secret is encrypted using KMS
Policy ID: BC_AWS_GENERAL_58

Ensure RDS database cluster snapshot is encrypted
Policy ID: BC_AWS_GENERAL_59

Ensure only encrypted EBS volumes are attached to EC2 instances
Policy ID: BC_AWS_GENERAL_60

Ensure load balancer has deletion protection enabled
Policy ID: BC_AWS_GENERAL_61

Ensure that AWS EMR clusters have Kerberos enabled
Policy ID: BC_AWS_GENERAL_62

Ensure AWS Lambda function is configured for function-level concurrent execution limit
Policy ID: BC_AWS_GENERAL_63

Ensure AWS Lambda function is configured for a DLQ
Policy ID: BC_AWS_GENERAL_64

Ensure AWS Lambda function is configured inside a VPC
Policy ID: BC_AWS_GENERAL_65

Ensure GuardDuty is enbaled to specific org/region
Policy ID: BC_AWS_GENERAL_66

Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
Policy ID: BC_AWS_GENERAL_67

Ensure EC2 is EBS optimized
Policy ID: BC_AWS_GENERAL_68

Ensure RDS clusters and instances have deletion protection enabled
Policy ID: BC_AWS_GENERAL_69

Ensure Redshift cluster allow version upgrade by default
Policy ID: BC_AWS_GENERAL_70

Ensure S3 bucket has lock configuration enabled by default
Policy ID: BC_AWS_GENERAL_71

Ensure S3 bucket has cross-region replication enabled
Policy ID: BC_AWS_GENERAL_72

Ensure RDS instances have Multi-AZ enabled
Policy ID: BC_AWS_GENERAL_73

Ensure DocDB has audit logs enabled
Policy ID: BC_AWS_GENERAL_74

Ensure Redshift uses SSL
Policy ID: BC_AWS_GENERAL_75

Ensure Session Manager data is encrypted in transit
Policy ID: BC_AWS_GENERAL_76

Ensure that RDS database cluster snapshot is encrypted
Policy ID: BC_AWS_GENERAL_77

Ensure that CodeBuild projects are encrypted
Policy ID: BC_AWS_GENERAL_78

Ensure that Secrets Manager secret is encrypted using KMS
Policy ID: BC_AWS_GENERAL_79

Ensure that Load Balancer has deletion protection enabled
Policy ID: BC_AWS_GENERAL_80

Ensure EBS default encryption is enabled
Policy ID: BC_AWS_GENERAL_81

Autoscaling groups should supply tags to launch configurations
Policy ID: BC_AWS_GENERAL_82

Ensure that Workspace user volumes are encrypted
Policy ID: BC_AWS_GENERAL_83

Ensure that Workspace root volumes are encrypted
Policy ID: BC_AWS_GENERAL_84

Ensure that CloudWatch Log Group is encrypted by KMS
Policy ID: BC_AWS_GENERAL_85

Ensure that Athena Workgroup is encrypted
Policy ID: BC_AWS_GENERAL_86

Ensure that Timestream database is encrypted with KMS CMK
Policy ID: BC_AWS_GENERAL_87

Ensure Dynamodb point in time recovery is enabled for global tables
Policy ID: BC_AWS_GENERAL_88

Ensure Backup Vault is encrypted at rest using KMS CMK
Policy ID: BC_AWS_GENERAL_89

Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_90

Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_91

Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Policy ID: BC_AWS_GENERAL_92

Ensure QLDB ledger permissions mode is set to STANDARD
Policy ID: BC_AWS_GENERAL_93

Ensure EMR Cluster security configuration encryption uses SSE-KMS
Policy ID: BC_AWS_GENERAL_94

Ensure Route53 A Record has an attached resource
Policy ID: BC_AWS_GENERAL_95

Ensure Route53 A Record has an attached resource
Policy ID: BC_AWS_GENERAL_96

Ensure Route 53 DNS service modifications are detected
Policy ID: BC_AWS_ALERT_2

Ensure provisioned resources are not manually modified
Policy ID: BC_AWS_DRIFT_1

Ensure Glue component has a security configuration associated
Policy ID: BC_AWS_GENERAL_112

Updated 3 months ago