Controls with References Policies

This example shows how a Control uses an external Policy, promoting reusability.

Control with External Policy

id: aws_access_keys_rotated_x_days      # REQUIRED (unique across Controls)
title: Access Keys Rotated X Days       # RECOMMENDED (descriptive)
description: Ensure AWS IAM access keys are rotated on a periodic basis (X Days).  # RECOMMENDED
integration_type:
  - aws_cloud_account                   # REQUIRED (platform this Control applies to)
parameters:
  - key: awsIamAccessKeyAge
    value: '180'                       # Input used by the external Policy
policy:
  "@ref": "aws_iam_access_keys_policy" # REQUIRED reference to an external Policy ID
severity: medium                       # REQUIRED (choose from Critical, High, Medium, Low, None)
tags:                                  # RECOMMENDED (metadata for organization)
  score_service_name:
    - AWS Identity and Access Management (IAM)
  Category:
    - Insecure Keys

Explanation of Control Fields

Required:

id: A unique identifier for the Control (e.g., aws_access_keys_rotated_x_days).
integration_type: Specifies the environment or platform (e.g., aws_cloud_account) to which this Control applies.
policy: References the ID of an external Policy (e.g., aws_iam_access_keys_policy).
severity: Indicates the impact level if the Control fails (e.g., Critical, High, Medium, Low, None).

Recommended:

title: A concise and descriptive name for the Control (e.g., "Access Keys Rotated X Days").
description: A brief explanation of what the Control checks (e.g., "Ensures AWS IAM keys are rotated within a set number of days.").
parameters: Key-value pairs that provide input to the external Policy (required if the Policy uses parameters).
tags: Optional metadata for categorizing or grouping the Control (e.g., relevant AWS services or risk categories).

PreviousControls with Inline Policy NextPolicies

Last updated 4 months ago