Added new rules

epam · Jun 27, 2023 · 53c6fe0 · 53c6fe0
1 parent f1aae25
commit 53c6fe0
Show file tree

Hide file tree

Showing 459 changed files with 472 additions and 0 deletions.
diff --git a/policies/ecc-aws-002-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml b/policies/ecc-aws-002-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml
diff --git a/policies/ecc-aws-013-ensure_access_keys_are_rotated_every_90_days.yml b/policies/ecc-aws-013-ensure_access_keys_are_rotated_every_90_days.yml
diff --git a/policies/ecc-aws-033-ensure_vpc_flow_logging_enabled_for_every_vpc.yml b/policies/ecc-aws-033-ensure_vpc_flow_logging_enabled_for_every_vpc.yml
diff --git a/policies/ecc-aws-080-bucket_policy_allows_https_requests.yml b/policies/ecc-aws-080-bucket_policy_allows_https_requests.yml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-080-bucket_policy_allows_https_requests
+    resource: aws.s3
+    description: |
+      S3 Bucket Policy allows HTTP requests
+    filters:
+      - not:
+          - or:
+              - type: has-statement
+                statements:
+                  - Effect: Deny
+                    Action: 's3:*'
+                    Condition:
+                      Bool:
+                        "aws:SecureTransport": "false"
+              - type: has-statement
+                statements:
+                  - Effect: Deny
+                    Action: '*'
+                    Condition:
+                      Bool:
+                        "aws:SecureTransport": "false"
+              - type: has-statement
+                statements:
+                  - Effect: Deny
+                    Action: 's3:GetObject'
+                    Condition:
+                      Bool:
+                        "aws:SecureTransport": "false"
diff --git a/policies/ecc-aws-082-rds_retention_backup_is_at_least_7_days.yml b/policies/ecc-aws-082-rds_retention_backup_is_at_least_7_days.yml
diff --git a/policies/ecc-aws-083-rds_high-availability_zone.yml b/policies/ecc-aws-083-rds_high-availability_zone.yml
diff --git a/policies/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month.yml b/policies/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month.yml
diff --git a/policies/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week.yml b/policies/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week.yml
diff --git a/policies/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution.yml b/policies/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution.yml
diff --git a/policies/ecc-aws-092-remove_weak_ciphers_for_clb.yml b/policies/ecc-aws-092-remove_weak_ciphers_for_clb.yml
diff --git a/policies/ecc-aws-093-clb_uses_https.yml b/policies/ecc-aws-093-clb_uses_https.yml
diff --git a/policies/ecc-aws-094-ensure_mfa_is_enabled_for_the_root_account.yml b/policies/ecc-aws-094-ensure_mfa_is_enabled_for_the_root_account.yml
diff --git a/policies/ecc-aws-095-ensure_hardware_mfa_is_enabled_for_root_account.yml b/policies/ecc-aws-095-ensure_hardware_mfa_is_enabled_for_root_account.yml
diff --git a/policies/ecc-aws-096-credentials_unused_for_45_days.yml b/policies/ecc-aws-096-credentials_unused_for_45_days.yml
diff --git a/policies/ecc-aws-097-iam_users_receive_permissions_only_through_groups.yml b/policies/ecc-aws-097-iam_users_receive_permissions_only_through_groups.yml
diff --git a/policies/ecc-aws-098-iam_password_policy_password_reuse.yml b/policies/ecc-aws-098-iam_password_policy_password_reuse.yml
diff --git a/policies/ecc-aws-099-instance_without_any_tag.yml b/policies/ecc-aws-099-instance_without_any_tag.yml
diff --git a/policies/ecc-aws-101-clb_access_logging_disabled.yml b/policies/ecc-aws-101-clb_access_logging_disabled.yml
diff --git a/policies/ecc-aws-102-ensures_sqs_encryption_is_enabled.yml b/policies/ecc-aws-102-ensures_sqs_encryption_is_enabled.yml
diff --git a/policies/ecc-aws-103-instance_without_termination_protection.yml b/policies/ecc-aws-103-instance_without_termination_protection.yml
diff --git a/policies/ecc-aws-105-rds_instance_with_no_backups.yml b/policies/ecc-aws-105-rds_instance_with_no_backups.yml
diff --git a/policies/ecc-aws-109-prevent_0-65535_ingress_and_all.yml b/policies/ecc-aws-109-prevent_0-65535_ingress_and_all.yml
diff --git a/policies/ecc-aws-110-security_group_ingress_is_restricted_traffic_to_dns_port_53.yml b/policies/ecc-aws-110-security_group_ingress_is_restricted_traffic_to_dns_port_53.yml
diff --git a/policies/ecc-aws-111-security_group_ingress_is_restricted_traffic_to_ftp_port_21.yml b/policies/ecc-aws-111-security_group_ingress_is_restricted_traffic_to_ftp_port_21.yml
diff --git a/policies/ecc-aws-112-security_group_ingress_is_restricted_traffic_to_http_port_80.yml b/policies/ecc-aws-112-security_group_ingress_is_restricted_traffic_to_http_port_80.yml
diff --git a/...ies/ecc-aws-113-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445.yml b/...ies/ecc-aws-113-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445.yml
diff --git a/policies/ecc-aws-114-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017.yml b/policies/ecc-aws-114-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017.yml
diff --git a/policies/ecc-aws-115-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306.yml b/policies/ecc-aws-115-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306.yml
diff --git a/...cies/ecc-aws-116-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139.yml b/...cies/ecc-aws-116-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139.yml
diff --git a/policies/ecc-aws-117-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521.yml b/policies/ecc-aws-117-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521.yml
diff --git a/policies/ecc-aws-118-security_group_ingress_is_restricted_traffic_to_pop3_port_110.yml b/policies/ecc-aws-118-security_group_ingress_is_restricted_traffic_to_pop3_port_110.yml
diff --git a/...cies/ecc-aws-119-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432.yml b/...cies/ecc-aws-119-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432.yml
diff --git a/policies/ecc-aws-120-security_group_ingress_is_restricted_traffic_to_smtp_port_25.yml b/policies/ecc-aws-120-security_group_ingress_is_restricted_traffic_to_smtp_port_25.yml
diff --git a/policies/ecc-aws-121-security_group_ingress_is_restricted_traffic_to_telnet_port_23.yml b/policies/ecc-aws-121-security_group_ingress_is_restricted_traffic_to_telnet_port_23.yml
diff --git a/policies/ecc-aws-124-eks_cluster_version_latest.yml b/policies/ecc-aws-124-eks_cluster_version_latest.yml
diff --git a/policies/ecc-aws-140-rds_without_tag_information.yml b/policies/ecc-aws-140-rds_without_tag_information.yml
diff --git a/policies/ecc-aws-141-s3_encrypted_using_kms.yml b/policies/ecc-aws-141-s3_encrypted_using_kms.yml
@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-141-s3_encrypted_using_kms
+    description: |
+      S3 is not using a KMS key for encryption
+    resource: s3
+    filters:
+      - type: bucket-encryption
+        state: false
+        crypto: aws:kms
diff --git a/policies/ecc-aws-162-s3_bucket_lifecycle.yml b/policies/ecc-aws-162-s3_bucket_lifecycle.yml
@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-162-s3_bucket_lifecycle
+    description: |
+      S3 Bucket life cycle is not configured
+    resource: s3
+    filters:
+      - type: value
+        key: Lifecycle
+        value: null
diff --git a/policies/ecc-aws-163-s3_buckets_without_tags.yml b/policies/ecc-aws-163-s3_buckets_without_tags.yml
@@ -0,0 +1,17 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-163-s3_buckets_without_tags
+    description: |
+      S3 Buckets without tags 
+    resource: s3
+    filters:
+      - not:
+          - type: value
+            key: Tags[0]
+            value: present
diff --git a/policies/ecc-aws-168-iam_password_policy_one_uppercase_letter.yml b/policies/ecc-aws-168-iam_password_policy_one_uppercase_letter.yml
diff --git a/policies/ecc-aws-169-ensure_no_root_account_access_key_exists.yml b/policies/ecc-aws-169-ensure_no_root_account_access_key_exists.yml
diff --git a/policies/ecc-aws-170-iam_password_policy_one_lowercase_letter.yml b/policies/ecc-aws-170-iam_password_policy_one_lowercase_letter.yml
diff --git a/policies/ecc-aws-171-iam_password_policy_one_symbol.yml b/policies/ecc-aws-171-iam_password_policy_one_symbol.yml
diff --git a/policies/ecc-aws-172-iam_password_policy_one_number.yml b/policies/ecc-aws-172-iam_password_policy_one_number.yml
diff --git a/policies/ecc-aws-173-iam_password_min_length_ge_14.yml b/policies/ecc-aws-173-iam_password_min_length_ge_14.yml
diff --git a/policies/ecc-aws-174-iam_password_policy_passwd_expires_le_90.yml b/policies/ecc-aws-174-iam_password_policy_passwd_expires_le_90.yml
diff --git a/policies/ecc-aws-176-cloudtrail_log_validation_enabled.yml b/policies/ecc-aws-176-cloudtrail_log_validation_enabled.yml
diff --git a/policies/ecc-aws-179-cloudtrail_integrated_with_cloudwatch.yml b/policies/ecc-aws-179-cloudtrail_integrated_with_cloudwatch.yml
diff --git a/...cies/ecc-aws-181-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml b/...cies/ecc-aws-181-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml
diff --git a/policies/ecc-aws-183-config_enabled_all_regions.yml b/policies/ecc-aws-183-config_enabled_all_regions.yml
diff --git a/policies/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs.yml b/policies/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs.yml
diff --git a/policies/ecc-aws-185-kms_key_rotation_is_enabled.yml b/policies/ecc-aws-185-kms_key_rotation_is_enabled.yml
diff --git a/policies/ecc-aws-186-security_group_ingress_is_restricted_22.yml b/policies/ecc-aws-186-security_group_ingress_is_restricted_22.yml
diff --git a/policies/ecc-aws-187-security_group_ingress_is_restricted_3389.yml b/policies/ecc-aws-187-security_group_ingress_is_restricted_3389.yml
diff --git a/policies/ecc-aws-188-default_security_group_every_vpc_restricts_all_traffic.yml b/policies/ecc-aws-188-default_security_group_every_vpc_restricts_all_traffic.yml
diff --git a/policies/ecc-aws-190-encrypted_connection_between_cloudfront_origin.yml b/policies/ecc-aws-190-encrypted_connection_between_cloudfront_origin.yml
diff --git a/policies/ecc-aws-191-eks_cluster_protected_endpoint_access.yml b/policies/ecc-aws-191-eks_cluster_protected_endpoint_access.yml
diff --git a/policies/ecc-aws-196-unused_ec2_security_groups.yml b/policies/ecc-aws-196-unused_ec2_security_groups.yml
diff --git a/policies/ecc-aws-197-codebuild_project_source_repo_url_check.yml b/policies/ecc-aws-197-codebuild_project_source_repo_url_check.yml
diff --git a/policies/ecc-aws-198-autoscaling_group_health_checks.yml b/policies/ecc-aws-198-autoscaling_group_health_checks.yml
diff --git a/policies/ecc-aws-199-unused_eip_should_be_removed.yml b/policies/ecc-aws-199-unused_eip_should_be_removed.yml
diff --git a/policies/ecc-aws-200-elasticsearch_service_domains_in_vpc.yml b/policies/ecc-aws-200-elasticsearch_service_domains_in_vpc.yml
diff --git a/policies/ecc-aws-201-elasticsearch_service_domains_encryption_at_rest.yml b/policies/ecc-aws-201-elasticsearch_service_domains_encryption_at_rest.yml
diff --git a/policies/ecc-aws-203-ebs_snapshots_not_publicly_restorable.yml b/policies/ecc-aws-203-ebs_snapshots_not_publicly_restorable.yml
diff --git a/policies/ecc-aws-210-cloud_front_waf_integration.yml b/policies/ecc-aws-210-cloud_front_waf_integration.yml
diff --git a/policies/ecc-aws-212-lambda_in_vpc.yml b/policies/ecc-aws-212-lambda_in_vpc.yml
diff --git a/policies/ecc-aws-215-redshift_cluster_prohibit_public_access.yml b/policies/ecc-aws-215-redshift_cluster_prohibit_public_access.yml
diff --git a/policies/ecc-aws-216-s3_bucket_cross_region_replication_enabled.yml b/policies/ecc-aws-216-s3_bucket_cross_region_replication_enabled.yml
@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-216-s3_bucket_cross_region_replication_enabled
+    description: |
+      S3 bucket cross-region replication is disabled
+    resource: s3
+    filters:
+      - type: value
+        key: Replication
+        value: null
diff --git a/policies/ecc-aws-218-codebuild_environment_variables_contain_text_credentials.yml b/policies/ecc-aws-218-codebuild_environment_variables_contain_text_credentials.yml
diff --git a/policies/ecc-aws-219-rds_snapshot_prohibit_public_access.yml b/policies/ecc-aws-219-rds_snapshot_prohibit_public_access.yml
diff --git a/policies/ecc-aws-221-ec2_managed_ssm_patch_compliance.yml b/policies/ecc-aws-221-ec2_managed_ssm_patch_compliance.yml
diff --git a/policies/ecc-aws-222-ami_public_access.yml b/policies/ecc-aws-222-ami_public_access.yml
diff --git a/policies/ecc-aws-223-ensure_that_sagemaker_in_vpc.yml b/policies/ecc-aws-223-ensure_that_sagemaker_in_vpc.yml
diff --git a/policies/ecc-aws-231-vpc-subnets_automatic_public_ip_assignment.yml b/policies/ecc-aws-231-vpc-subnets_automatic_public_ip_assignment.yml
diff --git a/policies/ecc-aws-232-sagemaker_does_not_have_direct_internet_access.yml b/policies/ecc-aws-232-sagemaker_does_not_have_direct_internet_access.yml
diff --git a/policies/ecc-aws-237-cloudfront_web_distributions_use_custom_ssl_certificates.yml b/policies/ecc-aws-237-cloudfront_web_distributions_use_custom_ssl_certificates.yml
diff --git a/policies/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled.yml b/policies/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled.yml
diff --git a/policies/ecc-aws-240-acm_has_certificates_single_domain_names.yml b/policies/ecc-aws-240-acm_has_certificates_single_domain_names.yml
diff --git a/policies/ecc-aws-241-acm_has_no_unused_certificates.yml b/policies/ecc-aws-241-acm_has_no_unused_certificates.yml
diff --git a/policies/ecc-aws-242-cloudfront_distribution_access_logging.yml b/policies/ecc-aws-242-cloudfront_distribution_access_logging.yml
diff --git a/policies/ecc-aws-243-invalid_or_failed_certificates_are_removed_from_acm.yml b/policies/ecc-aws-243-invalid_or_failed_certificates_are_removed_from_acm.yml
diff --git a/policies/ecc-aws-245-alb_is_protected_by_waf_regional.yml b/policies/ecc-aws-245-alb_is_protected_by_waf_regional.yml
diff --git a/policies/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled.yml b/policies/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled.yml
@@ -0,0 +1,20 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled
+    description: |
+      S3 bucket versioning MFA delete is disabled
+    resource: s3
+    filters:
+      - or:
+          - type: value
+            key: Versioning.MFADelete
+            value: Disabled
+          - type: value
+            key: Versioning.MFADelete
+            value: absent
diff --git a/policies/ecc-aws-247-managed_policies_instead_of_inline_iam_policies.yml b/policies/ecc-aws-247-managed_policies_instead_of_inline_iam_policies.yml
diff --git a/policies/ecc-aws-248-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic.yml b/policies/ecc-aws-248-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic.yml
diff --git a/policies/ecc-aws-249-expired_certificates_are_removed_from_acm.yml b/policies/ecc-aws-249-expired_certificates_are_removed_from_acm.yml
diff --git a/policies/ecc-aws-250-rest_api_gateway_is_set_to_private.yml b/policies/ecc-aws-250-rest_api_gateway_is_set_to_private.yml
diff --git a/policies/ecc-aws-251-api_key_is_required_on_method_request.yml b/policies/ecc-aws-251-api_key_is_required_on_method_request.yml
diff --git a/policies/ecc-aws-253-kinesis_streams_encrypted_kms_customer_master_keys.yml b/policies/ecc-aws-253-kinesis_streams_encrypted_kms_customer_master_keys.yml
diff --git a/policies/ecc-aws-254-kinesis_server_data_at_rest_has_sse.yml b/policies/ecc-aws-254-kinesis_server_data_at_rest_has_sse.yml
diff --git a/policies/ecc-aws-255-restrict_outbound_traffic.yml b/policies/ecc-aws-255-restrict_outbound_traffic.yml
diff --git a/policies/ecc-aws-256-dynamodb_is_encrypted_using_managed_cmk.yml b/policies/ecc-aws-256-dynamodb_is_encrypted_using_managed_cmk.yml
diff --git a/policies/ecc-aws-257-efs_is_encrypted.yml b/policies/ecc-aws-257-efs_is_encrypted.yml
diff --git a/policies/ecc-aws-258-efs_is_encrypted_using_managed_cmk.yml b/policies/ecc-aws-258-efs_is_encrypted_using_managed_cmk.yml
diff --git a/policies/ecc-aws-259-elasticache_redis_clusters_encryption_at_rest.yml b/policies/ecc-aws-259-elasticache_redis_clusters_encryption_at_rest.yml
diff --git a/policies/ecc-aws-260-redshift_instances_are_encrypted.yml b/policies/ecc-aws-260-redshift_instances_are_encrypted.yml
diff --git a/policies/ecc-aws-261-rds_cluster_storage_is_encrypted.yml b/policies/ecc-aws-261-rds_cluster_storage_is_encrypted.yml
diff --git a/policies/ecc-aws-262-expired_route53_domain_names.yml b/policies/ecc-aws-262-expired_route53_domain_names.yml
diff --git a/policies/ecc-aws-263-enable_elb_access_logs.yml b/policies/ecc-aws-263-enable_elb_access_logs.yml
diff --git a/policies/ecc-aws-264-update_security_policy_of_network_load_balancer.yml b/policies/ecc-aws-264-update_security_policy_of_network_load_balancer.yml
diff --git a/policies/ecc-aws-267-guardduty_service_is_enabled.yml b/policies/ecc-aws-267-guardduty_service_is_enabled.yml
diff --git a/policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml b/policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml
diff --git a/policies/ecc-aws-276-iam_access_analyzer_is_enabled.yml b/policies/ecc-aws-276-iam_access_analyzer_is_enabled.yml
diff --git a/policies/ecc-aws-277-only_one_active_access_key_available_for_any_single_iam_user.yml b/policies/ecc-aws-277-only_one_active_access_key_available_for_any_single_iam_user.yml
diff --git a/policies/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml b/policies/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml
diff --git a/policies/ecc-aws-280-s3_buckets_configured_with_block_public_access.yml b/policies/ecc-aws-280-s3_buckets_configured_with_block_public_access.yml
@@ -0,0 +1,14 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-280-s3_buckets_configured_with_block_public_access
+    resource: aws.s3
+    description: |
+      S3 Buckets are not configured with 'Block public access' bucket settings
+    filters:
+      - type: check-public-block
diff --git a/policies/ecc-aws-289-ebs_volume_without_encrypt.yml b/policies/ecc-aws-289-ebs_volume_without_encrypt.yml
diff --git a/policies/ecc-aws-290-logging_for_s3_enabled.yml b/policies/ecc-aws-290-logging_for_s3_enabled.yml
@@ -0,0 +1,15 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-290-logging_for_s3_enabled
+    description: |
+      Logging for S3 bucket is disabled
+    resource: s3
+    filters:
+      - type: bucket-logging
+        op: disabled
diff --git a/policies/ecc-aws-291-rds_public_access_disabled.yml b/policies/ecc-aws-291-rds_public_access_disabled.yml
diff --git a/policies/ecc-aws-292-api_gateway_rest_api_encryption_at_rest.yml b/policies/ecc-aws-292-api_gateway_rest_api_encryption_at_rest.yml
diff --git a/policies/ecc-aws-293-security_group_ingress_is_restricted_traffic_to_port_20.yml b/policies/ecc-aws-293-security_group_ingress_is_restricted_traffic_to_port_20.yml
diff --git a/policies/ecc-aws-294-clb_connection_draining_enabled.yml b/policies/ecc-aws-294-clb_connection_draining_enabled.yml
diff --git a/policies/ecc-aws-295-elasticsearch_domains_audit_logging_enabled.yml b/policies/ecc-aws-295-elasticsearch_domains_audit_logging_enabled.yml
diff --git a/...c-aws-297-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes.yml b/...c-aws-297-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes.yml
diff --git a/policies/ecc-aws-298-elasticsearch_domain_connections_encrypted_using_TLS_1_2.yml b/policies/ecc-aws-298-elasticsearch_domain_connections_encrypted_using_TLS_1_2.yml
diff --git a/policies/ecc-aws-299-rds_db_clusters_configured_to_copy_tags_to_snapshots.yml b/policies/ecc-aws-299-rds_db_clusters_configured_to_copy_tags_to_snapshots.yml
diff --git a/policies/ecc-aws-300-rds_db_instances_configured_to_copy_tags_to_snapshots.yml b/policies/ecc-aws-300-rds_db_instances_configured_to_copy_tags_to_snapshots.yml
diff --git a/policies/ecc-aws-306-redshift_clusters_audit_logging_enabled.yml b/policies/ecc-aws-306-redshift_clusters_audit_logging_enabled.yml
diff --git a/policies/ecc-aws-308-ecs_services_public_ip_addresses_not_assigned_automatically.yml b/policies/ecc-aws-308-ecs_services_public_ip_addresses_not_assigned_automatically.yml
diff --git a/policies/ecc-aws-309-security_group_ingress_is_restricted_traffic_to_port_135.yml b/policies/ecc-aws-309-security_group_ingress_is_restricted_traffic_to_port_135.yml
diff --git a/policies/ecc-aws-310-security_group_ingress_is_restricted_traffic_to_port_143.yml b/policies/ecc-aws-310-security_group_ingress_is_restricted_traffic_to_port_143.yml
diff --git a/policies/ecc-aws-312-security_group_ingress_is_restricted_traffic_to_mssql_ports.yml b/policies/ecc-aws-312-security_group_ingress_is_restricted_traffic_to_mssql_ports.yml
diff --git a/policies/ecc-aws-313-security_group_ingress_is_restricted_traffic_to_port_4333.yml b/policies/ecc-aws-313-security_group_ingress_is_restricted_traffic_to_port_4333.yml
diff --git a/policies/ecc-aws-314-security_group_ingress_is_restricted_traffic_to_port_5500.yml b/policies/ecc-aws-314-security_group_ingress_is_restricted_traffic_to_port_5500.yml
diff --git a/policies/ecc-aws-315-security_group_ingress_is_restricted_traffic_to_port_5601.yml b/policies/ecc-aws-315-security_group_ingress_is_restricted_traffic_to_port_5601.yml
diff --git a/policies/ecc-aws-316-security_group_ingress_is_restricted_traffic_to_port_8080.yml b/policies/ecc-aws-316-security_group_ingress_is_restricted_traffic_to_port_8080.yml
diff --git a/...c-aws-317-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports.yml b/...c-aws-317-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports.yml
diff --git a/policies/ecc-aws-318-rds_database_cluster_engine_no_default_ports.yml b/policies/ecc-aws-318-rds_database_cluster_engine_no_default_ports.yml
diff --git a/policies/ecc-aws-319-rds_instances_storage_is_encrypted.yml b/policies/ecc-aws-319-rds_instances_storage_is_encrypted.yml
diff --git a/policies/ecc-aws-320-rds_snapshots_storage_is_encrypted.yml b/policies/ecc-aws-320-rds_snapshots_storage_is_encrypted.yml
diff --git a/policies/ecc-aws-322-api_gateway_rest_api_stages_ssl_certificates_configured.yml b/policies/ecc-aws-322-api_gateway_rest_api_stages_ssl_certificates_configured.yml
diff --git a/policies/ecc-aws-323-rest_api_aws_x_ray_enabled.yml b/policies/ecc-aws-323-rest_api_aws_x_ray_enabled.yml
diff --git a/policies/ecc-aws-324-cloudfront_default_root_object_configured.yml b/policies/ecc-aws-324-cloudfront_default_root_object_configured.yml
diff --git a/policies/ecc-aws-326-cloudfront_origin_failover_configured.yml b/policies/ecc-aws-326-cloudfront_origin_failover_configured.yml
diff --git a/policies/ecc-aws-327-dms_replication_not_public.yml b/policies/ecc-aws-327-dms_replication_not_public.yml
diff --git a/policies/ecc-aws-329-dynamodb_tables_pitr_enabled.yml b/policies/ecc-aws-329-dynamodb_tables_pitr_enabled.yml
diff --git a/policies/ecc-aws-330-dynamodb_dax_encryption_enabled.yml b/policies/ecc-aws-330-dynamodb_dax_encryption_enabled.yml
diff --git a/policies/ecc-aws-331-ec2_stopped_instance.yml b/policies/ecc-aws-331-ec2_stopped_instance.yml
diff --git a/policies/ecc-aws-332-ec2_instance_no_public_ip.yml b/policies/ecc-aws-332-ec2_instance_no_public_ip.yml
diff --git a/policies/ecc-aws-333-ec2_service_use_vpc_endpoints.yml b/policies/ecc-aws-333-ec2_service_use_vpc_endpoints.yml
diff --git a/policies/ecc-aws-334-vpc_unused_network_acl.yml b/policies/ecc-aws-334-vpc_unused_network_acl.yml
diff --git a/policies/ecc-aws-335-ec2_instance_should_not_use_multiple_eni.yml b/policies/ecc-aws-335-ec2_instance_should_not_use_multiple_eni.yml
diff --git a/policies/ecc-aws-336-ecs_task_definitions_secure_networking_modes_and_user_definitions.yml b/policies/ecc-aws-336-ecs_task_definitions_secure_networking_modes_and_user_definitions.yml
diff --git a/policies/ecc-aws-337-efs_in_backup_plan.yml b/policies/ecc-aws-337-efs_in_backup_plan.yml
diff --git a/policies/ecc-aws-338-elastic_beanstalk_enhanced_health_reporting_enabled.yml b/policies/ecc-aws-338-elastic_beanstalk_enhanced_health_reporting_enabled.yml
diff --git a/policies/ecc-aws-339-alb_drop_invalid_http_header.yml b/policies/ecc-aws-339-alb_drop_invalid_http_header.yml
diff --git a/policies/ecc-aws-341-elb_deletion_protection_enabled.yml b/policies/ecc-aws-341-elb_deletion_protection_enabled.yml
diff --git a/policies/ecc-aws-342-alb_http_to_https_redirection_enabled.yml b/policies/ecc-aws-342-alb_http_to_https_redirection_enabled.yml
diff --git a/policies/ecc-aws-343-emr_master_nodes_no_public_ip.yml b/policies/ecc-aws-343-emr_master_nodes_no_public_ip.yml
diff --git a/policies/ecc-aws-344-elasticsearch_node_to_node_encryption_enabled.yml b/policies/ecc-aws-344-elasticsearch_node_to_node_encryption_enabled.yml
diff --git a/policies/ecc-aws-345-elasticsearch_error_logging_to_cloudwatch_enabled.yml b/policies/ecc-aws-345-elasticsearch_error_logging_to_cloudwatch_enabled.yml
diff --git a/policies/ecc-aws-346-rds_instance_enhanced_monitoring_enabled.yml b/policies/ecc-aws-346-rds_instance_enhanced_monitoring_enabled.yml
diff --git a/policies/ecc-aws-347-rds_cluster_deletion_protection_enabled.yml b/policies/ecc-aws-347-rds_cluster_deletion_protection_enabled.yml
diff --git a/policies/ecc-aws-348-rds_instance_deletion_protection_enabled.yml b/policies/ecc-aws-348-rds_instance_deletion_protection_enabled.yml
diff --git a/policies/ecc-aws-349-rds_oracle_logging_enabled.yml b/policies/ecc-aws-349-rds_oracle_logging_enabled.yml
diff --git a/policies/ecc-aws-350-rds_postgresql_logging_enabled.yml b/policies/ecc-aws-350-rds_postgresql_logging_enabled.yml
diff --git a/policies/ecc-aws-351-rds_mysql_logging_enabled.yml b/policies/ecc-aws-351-rds_mysql_logging_enabled.yml
diff --git a/policies/ecc-aws-352-rds_mariadb_logging_enabled.yml b/policies/ecc-aws-352-rds_mariadb_logging_enabled.yml
@@ -0,0 +1,56 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-352-rds_mariadb_logging_enabled
+    resource: aws.rds
+    description: |
+      MariaDB database logging is disabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: mariadb
+          - or:
+              - not:
+                  - type: db-option-groups
+                    key: length(Options[].OptionSettings[?Name == 'SERVER_AUDIT_EVENTS' && Value == `CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL`].Value[])
+                    op: eq
+                    value: 1
+              - not:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: audit
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: error
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: general
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: slowquery
+                  - type: db-parameter
+                    key: general_log
+                    op: eq
+                    value: 1
+                  - type: db-parameter
+                    key: slow_query_log
+                    op: eq
+                    value: 1
+                  - type: db-parameter
+                    key: log_output
+                    op: eq
+                    value: FILE
diff --git a/policies/ecc-aws-353-rds_sql_server_logging_enabled.yml b/policies/ecc-aws-353-rds_sql_server_logging_enabled.yml
diff --git a/policies/ecc-aws-354-rds_aurora_logging_enabled.yml b/policies/ecc-aws-354-rds_aurora_logging_enabled.yml
diff --git a/policies/ecc-aws-355-rds_aurora_mysql_logging_enabled.yml b/policies/ecc-aws-355-rds_aurora_mysql_logging_enabled.yml
diff --git a/policies/ecc-aws-356-rds_aurora_postgresql_logging_enabled.yml b/policies/ecc-aws-356-rds_aurora_postgresql_logging_enabled.yml
diff --git a/policies/ecc-aws-357-rds_instance_iam_authentication_configured.yml b/policies/ecc-aws-357-rds_instance_iam_authentication_configured.yml
diff --git a/policies/ecc-aws-358-rds_cluster_iam_authentication_configured.yml b/policies/ecc-aws-358-rds_cluster_iam_authentication_configured.yml
diff --git a/policies/ecc-aws-359-rds_aurora_mysql_backtracking_enabled.yml b/policies/ecc-aws-359-rds_aurora_mysql_backtracking_enabled.yml
diff --git a/policies/ecc-aws-360-rds_cluster_multi_az_enabled.yml b/policies/ecc-aws-360-rds_cluster_multi_az_enabled.yml
diff --git a/policies/ecc-aws-361-redshift_cluster_encrypted_in_transit.yml b/policies/ecc-aws-361-redshift_cluster_encrypted_in_transit.yml
diff --git a/policies/ecc-aws-362-redshift_cluster_automatic_snapshot_enabled.yml b/policies/ecc-aws-362-redshift_cluster_automatic_snapshot_enabled.yml
diff --git a/policies/ecc-aws-363-redshift_cluster_automatic_upgrade_to_major_version_enabled.yml b/policies/ecc-aws-363-redshift_cluster_automatic_upgrade_to_major_version_enabled.yml
diff --git a/policies/ecc-aws-364-redshift_cluster_enhanced_vpc_routing_enabled.yml b/policies/ecc-aws-364-redshift_cluster_enhanced_vpc_routing_enabled.yml
diff --git a/policies/ecc-aws-368-sns_kms_encryption_enabled.yml b/policies/ecc-aws-368-sns_kms_encryption_enabled.yml
diff --git a/policies/ecc-aws-370-ec2_instance_managed_by_systems_manager.yml b/policies/ecc-aws-370-ec2_instance_managed_by_systems_manager.yml
diff --git a/policies/ecc-aws-371-ec2_managed_instance_association_compliance_status_check.yml b/policies/ecc-aws-371-ec2_managed_instance_association_compliance_status_check.yml
diff --git a/policies/ecc-aws-372-ec2_instance_imdsv2_enabled.yml b/policies/ecc-aws-372-ec2_instance_imdsv2_enabled.yml
diff --git a/policies/ecc-aws-373-eks_control_plane_logging_enabled.yml b/policies/ecc-aws-373-eks_control_plane_logging_enabled.yml
diff --git a/policies/ecc-aws-374-eks_clusters_security_group_traffic_restricted.yml b/policies/ecc-aws-374-eks_clusters_security_group_traffic_restricted.yml
diff --git a/policies/ecc-aws-375-eks_secrets_encrypted.yml b/policies/ecc-aws-375-eks_secrets_encrypted.yml
diff --git a/policies/ecc-aws-376-ecr_immutable_image_tags.yml b/policies/ecc-aws-376-ecr_immutable_image_tags.yml
diff --git a/policies/ecc-aws-377-ecr_repository_kms_encryption_enabled.yml b/policies/ecc-aws-377-ecr_repository_kms_encryption_enabled.yml
diff --git a/policies/ecc-aws-378-ecr_image_scanning_on_push_enabled.yml b/policies/ecc-aws-378-ecr_image_scanning_on_push_enabled.yml
diff --git a/policies/ecc-aws-379-postgresql_log_rotation_age_flag_set_to_60.yml b/policies/ecc-aws-379-postgresql_log_rotation_age_flag_set_to_60.yml
diff --git a/policies/ecc-aws-380-postgresql_log_rotation_size_flag_set_correctly.yml b/policies/ecc-aws-380-postgresql_log_rotation_size_flag_set_correctly.yml
diff --git a/policies/ecc-aws-381-postgresql_debug_print_parse_flag_disabled.yml b/policies/ecc-aws-381-postgresql_debug_print_parse_flag_disabled.yml
diff --git a/policies/ecc-aws-382-postgresql_debug_print_rewritten_flag_disabled.yml b/policies/ecc-aws-382-postgresql_debug_print_rewritten_flag_disabled.yml
diff --git a/policies/ecc-aws-383-postgresql_debug_print_plan_flag_disabled.yml b/policies/ecc-aws-383-postgresql_debug_print_plan_flag_disabled.yml
diff --git a/policies/ecc-aws-384-postgresql_debug_pretty_print_flag_enabled.yml b/policies/ecc-aws-384-postgresql_debug_pretty_print_flag_enabled.yml
diff --git a/policies/ecc-aws-385-postgresql_log_connections_flag_enabled.yml b/policies/ecc-aws-385-postgresql_log_connections_flag_enabled.yml
diff --git a/policies/ecc-aws-386-postgresql_log_disconnections_flag_enabled.yml b/policies/ecc-aws-386-postgresql_log_disconnections_flag_enabled.yml
diff --git a/policies/ecc-aws-387-postgresql_log_error_verbosity_flag_set_correctly.yml b/policies/ecc-aws-387-postgresql_log_error_verbosity_flag_set_correctly.yml
diff --git a/policies/ecc-aws-388-postgresql_log_hostname_flag_disabled.yml b/policies/ecc-aws-388-postgresql_log_hostname_flag_disabled.yml
diff --git a/policies/ecc-aws-389-postgresql_log_statement_flag_set_correctly.yml b/policies/ecc-aws-389-postgresql_log_statement_flag_set_correctly.yml
diff --git a/policies/ecc-aws-390-postgresql_log_destination_flag_set_to_csvlog.yml b/policies/ecc-aws-390-postgresql_log_destination_flag_set_to_csvlog.yml
diff --git a/policies/ecc-aws-391-postgresql_log_checkpoints_flag_enabled.yml b/policies/ecc-aws-391-postgresql_log_checkpoints_flag_enabled.yml
diff --git a/policies/ecc-aws-392-postgresql_log_lock_waits_flag_enabled.yml b/policies/ecc-aws-392-postgresql_log_lock_waits_flag_enabled.yml
diff --git a/policies/ecc-aws-393-postgresql_log_duration_flag_enabled.yml b/policies/ecc-aws-393-postgresql_log_duration_flag_enabled.yml
diff --git a/policies/ecc-aws-394-transit_gateway_default_route_table_association_disabled.yml b/policies/ecc-aws-394-transit_gateway_default_route_table_association_disabled.yml
diff --git a/policies/ecc-aws-395-transit_gateway_default_route_table_propagation_disabled.yml b/policies/ecc-aws-395-transit_gateway_default_route_table_propagation_disabled.yml
diff --git a/policies/ecc-aws-396-rest_api_gateway_is_protected_by_waf.yml b/policies/ecc-aws-396-rest_api_gateway_is_protected_by_waf.yml
diff --git a/policies/ecc-aws-397-rest_api_gateway_contend_encoding_enabled.yml b/policies/ecc-aws-397-rest_api_gateway_contend_encoding_enabled.yml
diff --git a/policies/ecc-aws-398-rest_api_gateway_cache_enabled.yml b/policies/ecc-aws-398-rest_api_gateway_cache_enabled.yml
diff --git a/policies/ecc-aws-400-glue_data_catalog_encrypted_at_rest.yml b/policies/ecc-aws-400-glue_data_catalog_encrypted_at_rest.yml
diff --git a/policies/ecc-aws-401-glue_data_catalog_encrypted_with_kms_customer_master_keys.yml b/policies/ecc-aws-401-glue_data_catalog_encrypted_with_kms_customer_master_keys.yml
diff --git a/policies/ecc-aws-402-glue_job_bookmarks_encrypted.yml b/policies/ecc-aws-402-glue_job_bookmarks_encrypted.yml
diff --git a/policies/ecc-aws-403-glue_cloudwatch_logs_encrypted.yml b/policies/ecc-aws-403-glue_cloudwatch_logs_encrypted.yml
diff --git a/policies/ecc-aws-404-glue_s3_encryption_enabled.yml b/policies/ecc-aws-404-glue_s3_encryption_enabled.yml
diff --git a/policies/ecc-aws-405-emr_kerberos_authentication_enabled.yml b/policies/ecc-aws-405-emr_kerberos_authentication_enabled.yml
diff --git a/policies/ecc-aws-407-emr_clusters_in_vpc.yml b/policies/ecc-aws-407-emr_clusters_in_vpc.yml
diff --git a/policies/ecc-aws-408-emr_logging_to_s3_enabled.yml b/policies/ecc-aws-408-emr_logging_to_s3_enabled.yml
diff --git a/policies/ecc-aws-409-vpc_unused_internet_gateway.yml b/policies/ecc-aws-409-vpc_unused_internet_gateway.yml
diff --git a/policies/ecc-aws-411-unused_virtual_private_gateways.yml b/policies/ecc-aws-411-unused_virtual_private_gateways.yml
diff --git a/policies/ecc-aws-413-elasticache_previous_generation_instances_not_used.yml b/policies/ecc-aws-413-elasticache_previous_generation_instances_not_used.yml
diff --git a/policies/ecc-aws-414-elasticache_automatic_backups.yml b/policies/ecc-aws-414-elasticache_automatic_backups.yml
diff --git a/policies/ecc-aws-415-elasticache_encrypted_in_transit.yml b/policies/ecc-aws-415-elasticache_encrypted_in_transit.yml
diff --git a/policies/ecc-aws-416-elasticache_encrypted_at_rest_using_cmk.yml b/policies/ecc-aws-416-elasticache_encrypted_at_rest_using_cmk.yml
diff --git a/policies/ecc-aws-418-elasticache_redis_multi_az_enabled.yml b/policies/ecc-aws-418-elasticache_redis_multi_az_enabled.yml
diff --git a/policies/ecc-aws-419-elasticache_redis_auth_enabled.yml b/policies/ecc-aws-419-elasticache_redis_auth_enabled.yml
diff --git a/policies/ecc-aws-420-elasticache_latest_version.yml b/policies/ecc-aws-420-elasticache_latest_version.yml
diff --git a/policies/ecc-aws-421-documentdb_logging_enabled.yml b/policies/ecc-aws-421-documentdb_logging_enabled.yml
@@ -0,0 +1,35 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-421-documentdb_logging_enabled
+    resource: aws.rds-cluster
+    description: |
+      DocumentDB logging is not enabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: 'docdb'
+          - not:
+              - and:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: audit
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: profiler
+                  - type: db-cluster-parameter
+                    key: audit_logs
+                    value: enabled
+                  - type: db-cluster-parameter
+                    key: profiler
+                    value: enabled
diff --git a/policies/ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled.yml b/policies/ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled.yml
@@ -0,0 +1,48 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled
+    resource: aws.rds-cluster
+    description: |
+      Aurora-MySQL cluster logging is disabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: aurora-mysql
+          - not:
+              - and:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: audit
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: error
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: general
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: slowquery
+                  - type: db-cluster-parameter
+                    key: general_log
+                    value: 1
+                  - type: db-cluster-parameter
+                    key: slow_query_log
+                    value: 1
+                  - type: db-cluster-parameter
+                    key: log_output
+                    value: FILE
diff --git a/policies/ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled.yml b/policies/ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled.yml
@@ -0,0 +1,33 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled
+    resource: aws.rds-cluster
+    description: |
+      Aurora-PostgreSQL cluster logging is disabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: aurora-postgresql
+          - or:
+              - type: db-cluster-parameter
+                key: log_min_duration_statement
+                value: absent
+              - type: db-cluster-parameter
+                key: log_min_duration_statement
+                value: -1
+              - not:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: postgresql
+                  - type: db-cluster-parameter
+                    key: log_statement
+                    value: all
diff --git a/policies/ecc-aws-425-elasticsearch_slow_logs_enabled.yml b/policies/ecc-aws-425-elasticsearch_slow_logs_enabled.yml
diff --git a/policies/ecc-aws-427-elasticache_auth_token_rotated_every_90_days.yml b/policies/ecc-aws-427-elasticache_auth_token_rotated_every_90_days.yml
diff --git a/policies/ecc-aws-429-elasticsearch_encrypted_with_kms_cmk.yml b/policies/ecc-aws-429-elasticsearch_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-430-autoscaling_group_cooldown_period.yml b/policies/ecc-aws-430-autoscaling_group_cooldown_period.yml
diff --git a/policies/ecc-aws-431-elasticsearch_enforces_https.yml b/policies/ecc-aws-431-elasticsearch_enforces_https.yml
diff --git a/policies/ecc-aws-432-elasticsearch_latest_version.yml b/policies/ecc-aws-432-elasticsearch_latest_version.yml
diff --git a/policies/ecc-aws-433-autoscaling_group_has_associated_elb.yml b/policies/ecc-aws-433-autoscaling_group_has_associated_elb.yml
diff --git a/policies/ecc-aws-434-xray-encrypted_with_kms_cmk.yml b/policies/ecc-aws-434-xray-encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-435-workspaces_unused_instances.yml b/policies/ecc-aws-435-workspaces_unused_instances.yml
diff --git a/policies/ecc-aws-436-autoscaling_group_utilize_multi_az.yml b/policies/ecc-aws-436-autoscaling_group_utilize_multi_az.yml
diff --git a/policies/ecc-aws-437-workspaces_instances_are_healthy.yml b/policies/ecc-aws-437-workspaces_instances_are_healthy.yml
diff --git a/policies/ecc-aws-438-autoscaling_group_has_valid_configuration.yml b/policies/ecc-aws-438-autoscaling_group_has_valid_configuration.yml
diff --git a/policies/ecc-aws-439-workspaces_storage_encrypted.yml b/policies/ecc-aws-439-workspaces_storage_encrypted.yml
diff --git a/policies/ecc-aws-440-backup_service_compliant_lifecycle_enabled.yml b/policies/ecc-aws-440-backup_service_compliant_lifecycle_enabled.yml
diff --git a/policies/ecc-aws-442-backups_encrypted_with_kms_customer_master_keys.yml b/policies/ecc-aws-442-backups_encrypted_with_kms_customer_master_keys.yml
diff --git a/policies/ecc-aws-444-use_secure_ssl_protocols_between_cloudfront_origin.yml b/policies/ecc-aws-444-use_secure_ssl_protocols_between_cloudfront_origin.yml
diff --git a/policies/ecc-aws-445-rds_mysql_instances_latest_major_version.yml b/policies/ecc-aws-445-rds_mysql_instances_latest_major_version.yml
diff --git a/policies/ecc-aws-447-sqs_encrypted_with_kms_cmk.yml b/policies/ecc-aws-447-sqs_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption.yml b/policies/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption.yml
diff --git a/policies/ecc-aws-449-sqs_not_open_to_everyone.yml b/policies/ecc-aws-449-sqs_not_open_to_everyone.yml
diff --git a/policies/ecc-aws-451-postgresql_log_parser_stats_flag_is_disabled.yml b/policies/ecc-aws-451-postgresql_log_parser_stats_flag_is_disabled.yml
diff --git a/policies/ecc-aws-452-cloudtrail_logs_management_events.yml b/policies/ecc-aws-452-cloudtrail_logs_management_events.yml
diff --git a/policies/ecc-aws-453-event_bus_is_exposed_to_everyone.yml b/policies/ecc-aws-453-event_bus_is_exposed_to_everyone.yml
diff --git a/policies/ecc-aws-454-postgresql_log_planner_stats_flag_disabled.yml b/policies/ecc-aws-454-postgresql_log_planner_stats_flag_disabled.yml
diff --git a/policies/ecc-aws-455-postgresql_log_executor_stats_flag_disabled.yml b/policies/ecc-aws-455-postgresql_log_executor_stats_flag_disabled.yml
diff --git a/policies/ecc-aws-457-postgresql_log_min_error_statement_flag_set_correctly.yml b/policies/ecc-aws-457-postgresql_log_min_error_statement_flag_set_correctly.yml
diff --git a/...es/ecc-aws-458-glacier_vault_access_policy_does_not_allow_actions_from_all_principals.yml b/...es/ecc-aws-458-glacier_vault_access_policy_does_not_allow_actions_from_all_principals.yml
diff --git a/policies/ecc-aws-459-config_delivery_failed.yml b/policies/ecc-aws-459-config_delivery_failed.yml
diff --git a/policies/ecc-aws-461-dms_latest_version.yml b/policies/ecc-aws-461-dms_latest_version.yml
diff --git a/policies/ecc-aws-464-sagemaker_instances_encrypted_with_kms_cmk.yml b/policies/ecc-aws-464-sagemaker_instances_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-469-dms_auto_minor_version_upgrade.yml b/policies/ecc-aws-469-dms_auto_minor_version_upgrade.yml
diff --git a/policies/ecc-aws-470-dms_replication_instances_encrypted_with_kms_cmk.yml b/policies/ecc-aws-470-dms_replication_instances_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-471-oracle_audit_sys_operations_flag_enabled.yml b/policies/ecc-aws-471-oracle_audit_sys_operations_flag_enabled.yml
diff --git a/policies/ecc-aws-472-oracle_audit_trail_flag_set_correctly.yml b/policies/ecc-aws-472-oracle_audit_trail_flag_set_correctly.yml
diff --git a/policies/ecc-aws-473-oracle_global_names_flag_enabled.yml b/policies/ecc-aws-473-oracle_global_names_flag_enabled.yml
diff --git a/policies/ecc-aws-474-oracle_remote_listener_flag_empty.yml b/policies/ecc-aws-474-oracle_remote_listener_flag_empty.yml
diff --git a/policies/ecc-aws-475-oracle_sec_max_failed_login_attempts_flag_is_3_or_less.yml b/policies/ecc-aws-475-oracle_sec_max_failed_login_attempts_flag_is_3_or_less.yml
diff --git a/policies/ecc-aws-476-oracle_sec_protocol_error_further_action_flag_set_to_drop_3.yml b/policies/ecc-aws-476-oracle_sec_protocol_error_further_action_flag_set_to_drop_3.yml
diff --git a/policies/ecc-aws-477-oracle_sec_protocol_error_trace_action_flag_set_to_log.yml b/policies/ecc-aws-477-oracle_sec_protocol_error_trace_action_flag_set_to_log.yml
diff --git a/policies/ecc-aws-478-oracle_sec_return_server_release_banner_flag_disabled.yml b/policies/ecc-aws-478-oracle_sec_return_server_release_banner_flag_disabled.yml
diff --git a/policies/ecc-aws-479-oracle_sql92_security_flag_enabled.yml b/policies/ecc-aws-479-oracle_sql92_security_flag_enabled.yml
diff --git a/policies/ecc-aws-480-oracle_trace_files_public.yml b/policies/ecc-aws-480-oracle_trace_files_public.yml
diff --git a/policies/ecc-aws-481-oracle_resource_limit_flag_enabled.yml b/policies/ecc-aws-481-oracle_resource_limit_flag_enabled.yml
diff --git a/policies/ecc-aws-482-dms_multi_az_enabled.yml b/policies/ecc-aws-482-dms_multi_az_enabled.yml
diff --git a/policies/ecc-aws-487-ebs_volume_encrypted_with_kms_cmk.yml b/policies/ecc-aws-487-ebs_volume_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-488-ebs_snapshot_encrypted.yml b/policies/ecc-aws-488-ebs_snapshot_encrypted.yml
diff --git a/policies/ecc-aws-489-unused_ebs_volumes.yml b/policies/ecc-aws-489-unused_ebs_volumes.yml
diff --git a/policies/ecc-aws-490-unused_ec2_access_keys.yml b/policies/ecc-aws-490-unused_ec2_access_keys.yml
diff --git a/policies/ecc-aws-492-mysql_sql_mode_flag_contains_strict_all_tables.yml b/policies/ecc-aws-492-mysql_sql_mode_flag_contains_strict_all_tables.yml
diff --git a/policies/ecc-aws-493-workspaces_images_not_older_than_90_days.yml b/policies/ecc-aws-493-workspaces_images_not_older_than_90_days.yml
diff --git a/policies/ecc-aws-494-workspaces_web_access_disabled.yml b/policies/ecc-aws-494-workspaces_web_access_disabled.yml
diff --git a/policies/ecc-aws-495-fsx_all_types_of_file_systems_encrypted_with_kms_cmk.yml b/policies/ecc-aws-495-fsx_all_types_of_file_systems_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE.yml b/policies/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE.yml
diff --git a/policies/ecc-aws-497-lambda_active_tracing_enabled.yml b/policies/ecc-aws-497-lambda_active_tracing_enabled.yml
diff --git a/policies/ecc-aws-499-sagemaker_endpoint_configuration_encrypted.yml b/policies/ecc-aws-499-sagemaker_endpoint_configuration_encrypted.yml
diff --git a/policies/ecc-aws-500-lambda_variables_encrypted_with_kms_cmk.yml b/policies/ecc-aws-500-lambda_variables_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-501-sagemaker_instance_root_disabled.yml b/policies/ecc-aws-501-sagemaker_instance_root_disabled.yml
diff --git a/policies/ecc-aws-502-mq_broker_auto_minor_version_upgrade_enabled.yml b/policies/ecc-aws-502-mq_broker_auto_minor_version_upgrade_enabled.yml
diff --git a/policies/ecc-aws-503-mq_broker_logging_enabled.yml b/policies/ecc-aws-503-mq_broker_logging_enabled.yml
diff --git a/policies/ecc-aws-504-sagemaker_network_isolation_enabled.yml b/policies/ecc-aws-504-sagemaker_network_isolation_enabled.yml
diff --git a/policies/ecc-aws-505-route53_domain_automatic_renewal_enabled.yml b/policies/ecc-aws-505-route53_domain_automatic_renewal_enabled.yml
diff --git a/policies/ecc-aws-506-mq_broker_not_publicly_accessible.yml b/policies/ecc-aws-506-mq_broker_not_publicly_accessible.yml
diff --git a/policies/ecc-aws-507-route53_domain_expires_in_30_days.yml b/policies/ecc-aws-507-route53_domain_expires_in_30_days.yml
diff --git a/policies/ecc-aws-508-mq_broker_open_to_all_ports_protocols.yml b/policies/ecc-aws-508-mq_broker_open_to_all_ports_protocols.yml
diff --git a/policies/ecc-aws-510-route53_hosted_zone_records_health_check_configured.yml b/policies/ecc-aws-510-route53_hosted_zone_records_health_check_configured.yml
diff --git a/policies/ecc-aws-511-msk_data_encrypted_with_kms_cmk.yml b/policies/ecc-aws-511-msk_data_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-512-msk_encryption_in_transit_enabled.yml b/policies/ecc-aws-512-msk_encryption_in_transit_enabled.yml
diff --git a/policies/ecc-aws-513-route53_query_logging_enabled.yml b/policies/ecc-aws-513-route53_query_logging_enabled.yml
diff --git a/policies/ecc-aws-514-msk_logging_enabled.yml b/policies/ecc-aws-514-msk_logging_enabled.yml
diff --git a/policies/ecc-aws-515-rds_encrypted_with_kms_cmk.yml b/policies/ecc-aws-515-rds_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-516-sns_encrypted_with_kms_cmk.yml b/policies/ecc-aws-516-sns_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-517-redshift_user_activity_logging_enabled.yml b/policies/ecc-aws-517-redshift_user_activity_logging_enabled.yml
diff --git a/policies/ecc-aws-519-redshift_not_using_default_port.yml b/policies/ecc-aws-519-redshift_not_using_default_port.yml
diff --git a/policies/ecc-aws-520-redshift_encrypted_with_kms_cmk.yml b/policies/ecc-aws-520-redshift_encrypted_with_kms_cmk.yml
diff --git a/policies/ecc-aws-521-redshift_parameter_group_require_ssl.yml b/policies/ecc-aws-521-redshift_parameter_group_require_ssl.yml
diff --git a/policies/ecc-aws-522-route53_transfer_lock_enabled.yml b/policies/ecc-aws-522-route53_transfer_lock_enabled.yml
diff --git a/policies/ecc-aws-524-rest_api_gateway_access_logging_enabled.yml b/policies/ecc-aws-524-rest_api_gateway_access_logging_enabled.yml
diff --git a/policies/ecc-aws-525-ecs_exec_logging_encryption_enabled.yml b/policies/ecc-aws-525-ecs_exec_logging_encryption_enabled.yml
diff --git a/policies/ecc-aws-526-rest_api_gateway_logs_set_correctly.yml b/policies/ecc-aws-526-rest_api_gateway_logs_set_correctly.yml
diff --git a/policies/ecc-aws-527-mwaa_encrypted_with_kms_cmk.yml b/policies/ecc-aws-527-mwaa_encrypted_with_kms_cmk.yml