Controls with References Policies

This example shows how a Control uses an external Policy, promoting reusability.

Control with External Policy

id: aws_access_keys_rotated_x_days      # REQUIRED (unique across Controls)
title: Access Keys Rotated X Days       # RECOMMENDED (descriptive)
description: Ensure AWS IAM access keys are rotated on a periodic basis (X Days).  # RECOMMENDED
integration_type:
  - aws_cloud_account                   # REQUIRED (platform this Control applies to)
parameters:
  - key: awsIamAccessKeyAge
    value: '180'                       # Input used by the external Policy
policy:
  "@ref": "aws_iam_access_keys_policy" # REQUIRED reference to an external Policy ID
severity: medium                       # REQUIRED (choose from Critical, High, Medium, Low, None)
tags:                                  # RECOMMENDED (metadata for organization)
  score_service_name:
    - AWS Identity and Access Management (IAM)
  Category:
    - Insecure Keys

Explanation of Control Fields

Required:

• id: A unique identifier for the Control (e.g., aws_access_keys_rotated_x_days).

• integration_type: Specifies the environment or platform (e.g., aws_cloud_account) to which this Control applies.

• policy: References the ID of an external Policy (e.g., aws_iam_access_keys_policy).

• severity: Indicates the impact level if the Control fails (e.g., Critical, High, Medium, Low, None).

Recommended:

• title: A concise and descriptive name for the Control (e.g., "Access Keys Rotated X Days").

• description: A brief explanation of what the Control checks (e.g., "Ensures AWS IAM keys are rotated within a set number of days.").

• parameters: Key-value pairs that provide input to the external Policy (required if the Policy uses parameters).

• tags: Optional metadata for categorizing or grouping the Control (e.g., relevant AWS services or risk categories).