Expand OPA platform policies#5
Conversation
There was a problem hiding this comment.
Summary
This PR expands OPA platform policies with comprehensive security checks across compute, data, IAM, logging, networking, S3, and security domains. The CI workflow now enforces policy violations as errors rather than warnings.
Critical Issue Found
policy/data.rego: The DynamoDB PITR check has a logic error that only verifies the property exists, not that PITR is actually enabled. This could allow tables with disabled PITR to pass the policy check.
Changes Look Good
- CI workflow correctly upgraded to fail on violations with proper exit codes
- New policy files (compute, logging, network) follow correct OPA/Rego patterns
- Improved existing policies with proper null checks and helper functions
- README documentation accurately reflects the new OPA integration
Please address the PITR validation issue before merging.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
| some name | ||
| resource := input.Resources[name] | ||
| resource.Type == "AWS::DynamoDB::Table" | ||
| not resource.Properties.PointInTimeRecoverySpecification |
There was a problem hiding this comment.
🛑 Logic Error: Check both property existence and enabled status. The current check only verifies the PointInTimeRecoverySpecification property exists, not that PITR is actually enabled. A DynamoDB table with PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled: false would incorrectly pass this policy.
not pitr_enabled(resource)| deny_cloudtrail_not_logging contains msg if { | ||
| some resource in input.Resources | ||
| some name | ||
| resource := input.Resources[name] | ||
| resource.Type == "AWS::CloudTrail::Trail" | ||
| resource.Properties.IsLogging == false | ||
| msg := sprintf("CloudTrail %v has logging disabled.", [resource.Properties.TrailName]) | ||
| not resource.Properties.IsLogging | ||
| msg := sprintf("CloudTrail %v has logging disabled.", [resource_name(name, resource)]) | ||
| } |
There was a problem hiding this comment.
Add this helper function after the deny_cloudtrail_not_logging rule to properly validate PITR is enabled:
| deny_cloudtrail_not_logging contains msg if { | |
| some resource in input.Resources | |
| some name | |
| resource := input.Resources[name] | |
| resource.Type == "AWS::CloudTrail::Trail" | |
| resource.Properties.IsLogging == false | |
| msg := sprintf("CloudTrail %v has logging disabled.", [resource.Properties.TrailName]) | |
| not resource.Properties.IsLogging | |
| msg := sprintf("CloudTrail %v has logging disabled.", [resource_name(name, resource)]) | |
| } | |
| deny_cloudtrail_not_logging contains msg if { | |
| some name | |
| resource := input.Resources[name] | |
| resource.Type == "AWS::CloudTrail::Trail" | |
| not resource.Properties.IsLogging | |
| msg := sprintf("CloudTrail %v has logging disabled.", [resource_name(name, resource)]) | |
| } | |
| pitr_enabled(resource) if { | |
| resource.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == true | |
| } |
No description provided.