Skip to content

Expand OPA platform policies#5

Merged
tukue merged 2 commits into
mainfrom
feature/diagram-config-update
May 25, 2026
Merged

Expand OPA platform policies#5
tukue merged 2 commits into
mainfrom
feature/diagram-config-update

Conversation

@tukue

@tukue tukue commented May 25, 2026

Copy link
Copy Markdown
Owner

No description provided.

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

This PR expands OPA platform policies with comprehensive security checks across compute, data, IAM, logging, networking, S3, and security domains. The CI workflow now enforces policy violations as errors rather than warnings.

Critical Issue Found

policy/data.rego: The DynamoDB PITR check has a logic error that only verifies the property exists, not that PITR is actually enabled. This could allow tables with disabled PITR to pass the policy check.

Changes Look Good

  • CI workflow correctly upgraded to fail on violations with proper exit codes
  • New policy files (compute, logging, network) follow correct OPA/Rego patterns
  • Improved existing policies with proper null checks and helper functions
  • README documentation accurately reflects the new OPA integration

Please address the PITR validation issue before merging.


You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

Comment thread policy/data.rego Outdated
some name
resource := input.Resources[name]
resource.Type == "AWS::DynamoDB::Table"
not resource.Properties.PointInTimeRecoverySpecification

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Check both property existence and enabled status. The current check only verifies the PointInTimeRecoverySpecification property exists, not that PITR is actually enabled. A DynamoDB table with PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled: false would incorrectly pass this policy.

    not pitr_enabled(resource)

Comment thread policy/data.rego
Comment on lines 21 to +27
deny_cloudtrail_not_logging contains msg if {
some resource in input.Resources
some name
resource := input.Resources[name]
resource.Type == "AWS::CloudTrail::Trail"
resource.Properties.IsLogging == false
msg := sprintf("CloudTrail %v has logging disabled.", [resource.Properties.TrailName])
not resource.Properties.IsLogging
msg := sprintf("CloudTrail %v has logging disabled.", [resource_name(name, resource)])
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add this helper function after the deny_cloudtrail_not_logging rule to properly validate PITR is enabled:

Suggested change
deny_cloudtrail_not_logging contains msg if {
some resource in input.Resources
some name
resource := input.Resources[name]
resource.Type == "AWS::CloudTrail::Trail"
resource.Properties.IsLogging == false
msg := sprintf("CloudTrail %v has logging disabled.", [resource.Properties.TrailName])
not resource.Properties.IsLogging
msg := sprintf("CloudTrail %v has logging disabled.", [resource_name(name, resource)])
}
deny_cloudtrail_not_logging contains msg if {
some name
resource := input.Resources[name]
resource.Type == "AWS::CloudTrail::Trail"
not resource.Properties.IsLogging
msg := sprintf("CloudTrail %v has logging disabled.", [resource_name(name, resource)])
}
pitr_enabled(resource) if {
resource.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == true
}

@tukue tukue merged commit 8e8e82f into main May 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant