Protection Coverage
AWS
Protection patterns for AWS CLI operations including EC2, S3, RDS, IAM, and CloudFormation
The aws check group covers destructive AWS CLI operations that can terminate instances, delete data, and remove cloud infrastructure.
AWS checks
S3 remove bucket
| |
|---|
| ID | aws:s3_remove_bucket |
| Severity | High |
| Alternative | aws s3 ls s3://<bucket> -- list bucket contents first to verify what would be deleted |
# Triggers
aws s3 rb s3://my-bucket
aws s3 rb s3://my-bucket --force
S3 recursive delete
| |
|---|
| ID | aws:s3_recursive_delete |
| Severity | High |
| Filter | NotContains --dryrun |
# Triggers
aws s3 rm s3://my-bucket/data/ --recursive
# Does NOT trigger
aws s3 rm s3://my-bucket/data/ --recursive --dryrun
EC2 terminate instances
| |
|---|
| ID | aws:ec2_terminate |
| Severity | High |
| Alternative | aws ec2 stop-instances -- stop instead of terminate to preserve the instance for later restart |
# Triggers
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0
RDS delete instance
| |
|---|
| ID | aws:rds_delete |
| Severity | High |
| Alternative | aws rds delete-db-instance --skip-final-snapshot=false --final-db-snapshot-identifier <name> -- create a final snapshot before deletion |
# Triggers
aws rds delete-db-instance --db-instance-identifier my-database
IAM delete
| |
|---|
| ID | aws:iam_delete |
| Severity | High |
Covers deletion of IAM users, roles, policies, and groups.
# Triggers
aws iam delete-user --user-name admin
aws iam delete-role --role-name my-role
aws iam delete-policy --policy-arn arn:aws:iam::123456789:policy/my-policy
aws iam delete-group --group-name developers
| |
|---|
| ID | aws:cfn_delete_stack |
| Severity | High |
# Triggers
aws cloudformation delete-stack --stack-name my-infrastructure
Route53 delete hosted zone
| |
|---|
| ID | aws:route53_delete_zone |
| Severity | High |
# Triggers
aws route53 delete-hosted-zone --id Z1234567890
EKS delete cluster
| |
|---|
| ID | aws:eks_delete_cluster |
| Severity | High |
# Triggers
aws eks delete-cluster --name my-cluster
Lambda delete function
| |
|---|
| ID | aws:lambda_delete |
| Severity | High |
# Triggers
aws lambda delete-function --function-name my-function
Summary table
| ID | Command | Severity | Filter | Alternative |
|---|
aws:s3_remove_bucket | aws s3 rb | High | -- | aws s3 ls |
aws:s3_recursive_delete | aws s3 rm --recursive | High | NotContains --dryrun | -- |
aws:ec2_terminate | aws ec2 terminate-instances | High | -- | aws ec2 stop-instances |
aws:rds_delete | aws rds delete-db-instance | High | -- | Final snapshot variant |
aws:iam_delete | aws iam delete-(user|role|policy|group) | High | -- | -- |
aws:cfn_delete_stack | aws cloudformation delete-stack | High | -- | -- |
aws:route53_delete_zone | aws route53 delete-hosted-zone | High | -- | -- |
aws:eks_delete_cluster | aws eks delete-cluster | High | -- | -- |
aws:lambda_delete | aws lambda delete-function | High | -- | -- |