Skip to content
/ tflint-ruleset-aws-cis Public

Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.

gruntwork.io/achieve-compliance/

License

Apache-2.0 license
12 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gruntwork-io/tflint-ruleset-aws-cis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
rules
rules
 
 
.gitignore
.gitignore
 
 
.goreleaser.yml
.goreleaser.yml
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

TFLint Ruleset CIS AWS Foundations Benchmark

CIS AWS Foundations Benchmark Version https://gruntwork.io/?ref=repo_cis_compliance_aws"

Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.

⚠️ This repository is a WIP. It only contains one single rule so far, to validate Security Groups, that is hard to enforce in any other way (see Rules section). In the future, we may add other CIS AWS Foundations Benchmark rules.

Requirements

  • TFLint v0.40+
  • Go v1.19

Installation

You can install the plugin with tflint --init. Declare a config in .tflint.hcl as follows:

plugin "aws-cis" {
  enabled = true

  version = "<VERSION>"
  source  = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}

Rules

Name Description Severity Enabled CIS Recommendation
aws_security_group_rule_invalid_cidr_block Ensure that SG rules do not allow public access to remote administration ports ERROR 5.2 and 5.3

Terragrunt

An effective way to enforce these rules is to add them to your Terragrunt configuration using Before Hooks.

terraform {
  before_hook "before_hook" {
    commands     = ["apply", "plan"]
    execute      = ["tflint"]
  }
}

In the root of the Terragrunt project, add a .tflint.hcl file, replacing <VERSION> below with the latest version from the releases page:

plugin "aws" {
    enabled = true
    version = "<VERSION>"
    source  = "github.com/gruntwork-io/tflint-ruleset-aws-cis"
}

Running locally

Building the plugin

Clone the repository locally and run the following command:

$ make

You can easily install the built plugin with the following:

$ make install

You can run the built plugin like the following:

$ cat << EOS > .tflint.hcl
plugin "aws-cis" {
  enabled = true
}
EOS
$ tflint

Manual release

NOTE: This project doesn't have automated releases at the moment (due to limitations of our GitHub org with GitHub actions) and does not sign the binaries (as tflint doesn't currently check signatures for plugins). See this Slack thread for more info.

In order to release the binaries, this project uses goreleaser (install instructions).

Export the variable GITHUB_TOKEN so the binaries can be uploaded to GitHub. The release should run locally from the tag that will have the release.

git checkout <TAG FOR THE RELEASE, e.g. v0.40.0>

export GITHUB_TOKEN=<TOKEN>

goreleaser release

About

Tflint rules for CIS AWS Foundations Benchmark compliance checks. These rules work in addition to the recommendations from Gruntwork's CIS Service Catalog.

gruntwork.io/achieve-compliance/

Topics

aws devops cis terraform tflint

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

12 stars

Watchers

12 watching

Forks

4 forks
Report repository

Releases 2

v0.0.2 Latest
Jan 6, 2023
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages