@aws/nx-plugin 0.1.6 → 0.2.0

package/src/infra/app/files/common/constructs/src/core/cfn-guard-rules/pci-dss-3-2-1.guard

@@ -0,0 +1,2236 @@
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    DMS_REPLICATION_NOT_PUBLIC
+#
+# Description:
+#   Checks whether AWS Database Migration Service replication instances are not set to allow public.
+#
+# Reports on:
+#    AWS::DMS::ReplicationInstance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there is no DMS Replication Instance present
+# b) FAIL: When DMS Replication Instance is present and PubliclyAccessible property is set to true
+# c) PASS: When DMS Replication Instance is present and PubliclyAccessible property is set to false
+# c) PASS: When DMS Replication Instance is present and PubliclyAccessible property is not set
+# d) SKIP: when metada has rule suppression for DMS_REPLICATION_NOT_PUBLIC
+
+#
+# Select all Redshift cluster resources from incoming template
+#
+
+let dms_replication_instances = Resources.*[ Type == 'AWS::DMS::ReplicationInstance'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "DMS_REPLICATION_NOT_PUBLIC"
+]
+
+rule DMS_REPLICATION_NOT_PUBLIC when %dms_replication_instances !empty {
+  %dms_replication_instances.Properties.PubliclyAccessible exists
+  %dms_replication_instances.Properties.PubliclyAccessible == false
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    Violation: AWS Database Migration Service replication instances should not be public.
+    Fix: Set the DMS Replication Instance property PubliclyAccessible parameter to true.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    EC2_INSTANCE_NO_PUBLIC_IP
+#
+# Description:
+#    Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. 
+#
+# Reports on:
+#    AWS::EC2::Instance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no EC2 Instance resources are present
+# b) SKIP: when no EC2 Instances have network interfaces defined
+# c) PASS: when no EC2 Instances with network interfaces have associated public IP addresses
+# d) FAIL: when any EC2 Instances with network interfaces have associated public IP addresses
+# e) SKIP: hen metadata includes the suppression for rule EC2_INSTANCE_NO_PUBLIC_IP
+
+#
+# Select all EC2 Instance resources from incoming template (payload)
+#
+let ec2_instances_no_public_ip = Resources.*[Type == 'AWS::EC2::Instance'
+	Properties.NetworkInterfaces[*] !empty 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_INSTANCE_NO_PUBLIC_IP"
+]
+
+rule EC2_INSTANCE_NO_PUBLIC_IP when %ec2_instances_no_public_ip !empty {
+	%ec2_instances_no_public_ip.Properties.NetworkInterfaces[*] {
+		AssociatePublicIpAddress !exists OR 
+		AssociatePublicIpAddress == false
+		<<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    	Violation: EC2 Instances cannot have public IP addresses associated with their network interfaces 
+    	Fix: remove the AssociatePublicIpAddress property from NetworkInterfaces list or set it to false
+  	>>
+	}
+}
+
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    ELASTICSEARCH_IN_VPC_ONLY
+#
+# Description:
+#   Elasticsearch domains must be in a VPC
+#
+# Reports on:
+#    AWS::Elasticsearch::Domain
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there is no elasticsearch domain present
+# b) FAIL: when elasticsearch domain does not have VPCOptions or Endpoint properties
+# c) PASS: when elasticsearch domain has VPCOptions or Endpoint properties
+# d) SKIP: when metada has rule suppression for ELASTICSEARCH_IN_VPC_ONLY
+
+#
+# Select all elasticsearch domains from incoming template
+#
+let elasticsearch_domains_vpc_required = Resources.*[ Type == 'AWS::Elasticsearch::Domain'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "ELASTICSEARCH_IN_VPC_ONLY"
+]
+
+rule ELASTICSEARCH_IN_VPC_ONLY when %elasticsearch_domains_vpc_required !empty {
+  %elasticsearch_domains_vpc_required.Properties.VPCOptions EXISTS
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    Violation: Elasticsearch domains must be in a VPC.
+    Fix: Provide VPCOptions object to enable opensearch to function in a VPC.
+  >>
+}
+## Config Rule Name : emr-master-no-public-ip
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/emr-master-no-public-ip.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    INCOMING_SSH_DISABLED
+#
+# Description:
+#    Checks if the incoming SSH traffic for the security groups is accessible. 
+#
+# Reports on:
+#    AWS::EC2::SecurityGroup
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no Security Group resources are present
+# b) SKIP: when no SSH ingress is defined (port 22)
+# c) PASS: when all Security Groups resources restrict the IP address of the incoming SSH traffic
+# d) FAIL: when a Security Group allows SSH traffic from any IP address (0.0.0.0/0). 
+# e) SKIP: hen metadata includes the suppression for rule INCOMING_SSH_DISABLED
+
+#
+# Select all Security Group resources from incoming template (payload)
+#
+let aws_security_groups_restricted_ssh = Resources.*[ 
+	Type == 'AWS::EC2::SecurityGroup'
+	some Properties.SecurityGroupIngress[*] {
+		ToPort == 22
+		FromPort == 22
+		IpProtocol == "tcp"
+	}
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "INCOMING_SSH_DISABLED"
+]
+
+rule INCOMING_SSH_DISABLED when %aws_security_groups_restricted_ssh !empty {
+	%aws_security_groups_restricted_ssh.Properties.SecurityGroupIngress[*] != {CidrIp:"0.0.0.0/0", ToPort:22, FromPort:22, IpProtocol:"tcp"}
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,2.2,2.2.2    
+    Violation: IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0)
+    Fix: set SecurityGroupIngress.CidrIp property to a more restrictive CIDR than 0.0.0.0/0
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    EC2_INSTANCES_IN_VPC
+#
+# Description:
+#    Checks if your EC2 instances belong to a virtual private cloud (VPC).
+#
+# Reports on:
+#    AWS::EC2::Instance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no EC2 resource present
+# b) PASS: when all EC2 resources have the SubnetId property set
+# c) FAIL: when any EC2 resources do not have the SubnetId property set
+# d) SKIP: when metadata includes the suppression for rule EC2_INSTANCES_IN_VPC
+
+#
+# Select all ECS Instance resources from incoming template (payload)
+#
+let ec2_instances_in_vpc = Resources.*[ Type == 'AWS::EC2::Instance' 
+  Metadata.guard.SuppressedRules not exists or 
+  Metadata.guard.SuppressedRules.* != "EC2_INSTANCES_IN_VPC"
+]
+
+rule EC2_INSTANCES_IN_VPC when %ec2_instances_in_vpc !empty {
+  %ec2_instances_in_vpc.Properties.SubnetId !empty
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+  	Violation: EC2 Instances must belong to a VPC
+  	Fix: set the SubnetId property to a subnet ID
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
+#
+# Description:
+#    Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access.
+#
+# Reports on:
+#    AWS::Lambda::Permission
+#    AWS::Lambda::LayerVersionPermission
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no AWS Lambda permission policies are present
+# b) PASS: when all AWS Lambda permission policies prohibit public access
+# c) FAIL: when any AWS Lambda permission policies allow public access
+# d) SKIP: hen metadata includes the suppression for rule LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
+
+#
+# Select all AWS Lambda Permission resources from incoming template (payload)
+#
+let aws_lambda_permissions_public_access_prohibited = Resources.*[
+  Type in [ /AWS::Lambda::Permission/,
+    /AWS::Lambda::LayerVersionPermission/ ]
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED"
+]
+
+rule LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED when %aws_lambda_permissions_public_access_prohibited !empty {
+
+  # Lambda permission policy where principal is an account id
+  %aws_lambda_permissions_public_access_prohibited {
+    Type == 'AWS::Lambda::Permission'
+    Properties {
+      Principal in [ /^\d{12}$/, "AWS::AccountId" ]
+      OR Principal > 0
+    }
+  }
+
+  # Lambda permission policy where principal is a service (not s3)
+  OR %aws_lambda_permissions_public_access_prohibited {
+    Type == 'AWS::Lambda::Permission'
+    Properties {
+      Principal != 's3.amazonaws.com'
+      PrincipalOrgID !empty
+      OR SourceAccount exists
+      OR SourceArn !empty
+      <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,2.2.2    
+        Violation: All Lambda permission policies attached to Lambda resources must prohibit public access.
+        Fix: Limit permission policies by setting the Principal property to an account ID,
+        or limiting a service principal by setting the SourceArn, SourceAccount, or PrincipalOrgID properties.
+      >>
+    }
+  }
+
+  # Lambda permission policy where principal is s3 service
+  OR %aws_lambda_permissions_public_access_prohibited {
+    Type == 'AWS::Lambda::Permission'
+    Properties {
+      Principal == 's3.amazonaws.com'
+      PrincipalOrgID !empty
+      OR SourceAccount exists
+      <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,2.2.2    
+        Violation: All Lambda permission policies attached to Lambda resources must prohibit public access.
+        Fix: Limit permission policies by setting the Principal property to an account ID,
+        or for S3 as the principal specify either a SourceAccount or PrincipalOrgID.
+        Note: It is possible for an S3 bucket to be deleted by its owner and recreated by another account.
+      >>
+    }
+  }
+
+  # Lambda layer version permission policies
+  OR %aws_lambda_permissions_public_access_prohibited {
+    Type == 'AWS::Lambda::LayerVersionPermission'
+    Properties {
+      OrganizationId !empty
+      OR Principal in [ /^\d{12}$/, "AWS::AccountId" ]
+      OR Principal > 0
+      <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,2.2.2    
+        Violation: All Lambda permission policies attached to Lambda resources must prohibit public access.
+        Fix: For Lambda layer version permission policies, either limit permissions by the OrganizationId property
+        or set the Principal property to an account ID rather than using a wildcard (*).
+      >>
+    }
+  }
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    LAMBDA_INSIDE_VPC
+#
+# Description:
+#    Checks whether an AWS Lambda function is allowed access to an Amazon Virtual Private Cloud.
+#
+# Reports on:
+#    AWS::Lambda::Function
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no AWS Lambda functions are present
+# b) PASS: when all AWS Lambda functions are VPC enabled
+# c) FAIL: when any AWS Lambda functions are not VPC enabled
+# d) SKIP: hen metadata includes the suppression for rule LAMBDA_INSIDE_VPC
+
+#
+# Select all AWS Lambda Function resources from incoming template (payload)
+#
+let aws_lambda_functions_inside_vpc = Resources.*[ Type == 'AWS::Lambda::Function' 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "LAMBDA_INSIDE_VPC"
+]
+
+rule  LAMBDA_INSIDE_VPC when %aws_lambda_functions_inside_vpc !empty {
+  %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SecurityGroupIds !empty
+  %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SubnetIds !empty
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,2.2.2    
+    Violation:  All AWS Lambda Functions must be configured with access to a VPC
+    Fix: set the VpcConfig.SecurityGroupIds and VpcConfig.SubnetIds parameters with a list of security groups and subnets.
+    Lambda creates an elastic network interface for each combination of security group and subnet in the function's VPC configuration.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    RDS_INSTANCE_PUBLIC_ACCESS_CHECK
+#
+# Description:
+#    Checks if an RDS instances has Publicly Accessible not set.
+#
+# Reports on:
+#    AWS::RDS::DBInstance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no RDS instances present
+# b) PASS: when all RDS instances have PubliclyAccessible set to true
+# c) FAIL: when all RDS instances have PubliclyAccessible set to false
+# d) FAIL: when there are RDS instances with PubliclyAccessible property is not present
+# e) SKIP: when metadata includes the suppression for rule RDS_INSTANCE_PUBLIC_ACCESS_CHECK
+
+#
+# Select all RDS instance resources from incoming template (payload)
+#
+let aws_rds_instances_not_public = Resources.*[ Type == 'AWS::RDS::DBInstance'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RDS_INSTANCE_PUBLIC_ACCESS_CHECK"
+]
+
+rule RDS_INSTANCE_PUBLIC_ACCESS_CHECK when %aws_rds_instances_not_public !empty {
+  # ALL RDS instances must have PubliclyAccessible set to false
+  %aws_rds_instances_not_public.Properties.PubliclyAccessible == false
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    Violation: All RDS instances must not be publicly accessible.
+    Fix: Set the PubliclyAccessible to false.
+  >>
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
+#
+# Description:
+#   Redshift cluster should not be publicly accessible on the internet.
+#
+# Reports on:
+#    AWS::EKS::Cluster
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there is no Redshift cluster present
+# b) PASS: when Redshift Cluster resources do not have the publiclyAccessible property set (default false)
+# c) PASS: when Redshift Cluster resources have the PubliclyAccessible property set to false
+# d) FAIL: when any Redshift Cluster resources have the PubliclyAccessible property set to true
+# e) SKIP: when metada includes the suppression for rule REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
+
+#
+# Select all Redshift cluster resources from incoming template
+#
+
+let aws_redshift_clusters_resources_public_access_check = Resources.*[ Type == 'AWS::Redshift::Cluster'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK"
+]
+
+
+rule REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK when %aws_redshift_clusters_resources_public_access_check !empty {
+    %aws_redshift_clusters_resources_public_access_check.Properties.PubliclyAccessible  not exists or
+    %aws_redshift_clusters_resources_public_access_check.Properties.PubliclyAccessible == false
+
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    Violation: Redshift cluster should not be available to public.
+    Fix: Set the Redshift property PubliclyAccessible parameter to false.
+  >>
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    RESTRICTED_INCOMING_TRAFFIC
+#
+# Description:
+#    Checks if the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. 
+#
+# Reports on:
+#    AWS::EC2::SecurityGroup
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no Security Groups resource present
+# b) SKIP when there are no TCP or UDP ingress rules
+# c) PASS: when all Security Groups do no allow any of the restricted common ports
+# d) FAIL: when a Security Group allows any of the restricted common ports
+# e) SKIP: when metadata includes the suppression for rule RESTRICTED_INCOMING_TRAFFIC
+
+#
+# Select all Security Group resources from incoming template (payload)
+#
+let aws_security_groups_restricted_incoming_traffic = Resources.*[ Type == 'AWS::EC2::SecurityGroup' 
+	some Properties.SecurityGroupIngress[*] {
+		IpProtocol in ['tcp', 'udp']
+	}
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RESTRICTED_INCOMING_TRAFFIC"
+]
+
+rule RESTRICTED_INCOMING_TRAFFIC when %aws_security_groups_restricted_incoming_traffic !empty {
+	let violations = Resources.*[
+		Type == 'AWS::EC2::SecurityGroup'
+		some Properties.SecurityGroupIngress[*] {
+			FromPort in [ 20, 21, 3389, 3306, 4333 ]
+      ToPort in [ 20, 21, 3389, 3306, 4333 ]
+		}
+	]
+	%violations empty 
+	<<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,2.2,2.2.2    
+		Violation: Security groups must not allow unrestricted incoming TCP/UDP traffic to the specified ports [20, 21, 3389, 3306, 4333].
+		Fix: change the FromPort and ToPort properties in the SecurityGroupIngress list 
+	>>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_PUBLIC_READ_PROHIBITED
+#
+# Description:
+#   Checks if your Amazon S3 buckets do not allow public read access. The rule checks the Block Public
+#   Access settings, the bucket policy, and the bucket access control list (ACL).
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Public Access Block Configuration element is present and properties are set to true
+# c) FAIL: when all S3 resources do not have the Public Access Block Configuration element present or all properties set to true
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_PUBLIC_READ_PROHIBITED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_bucket_public_read_prohibited = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_PUBLIC_READ_PROHIBITED"
+]
+
+rule S3_BUCKET_PUBLIC_READ_PROHIBITED when %s3_bucket_public_read_prohibited !empty {
+  %s3_bucket_public_read_prohibited.Properties.PublicAccessBlockConfiguration exists
+  %s3_bucket_public_read_prohibited.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true
+  %s3_bucket_public_read_prohibited.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true
+  %s3_bucket_public_read_prohibited.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls == true
+  %s3_bucket_public_read_prohibited.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2,2.2.2    
+    Violation: S3 Bucket Public Write Access controls need to be restricted.
+    Fix: Set S3 Bucket PublicAccessBlockConfiguration properties for BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets parameters to true.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_PUBLIC_WRITE_PROHIBITED
+#
+# Description:
+#   Checks if your Amazon S3 buckets do not allow public write access. The rule checks the Block Public
+#   Access settings, the bucket policy, and the bucket access control list (ACL).
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Public Access Block Configuration element is present and properties are set to true
+# c) FAIL: when all S3 resources do not have the Public Access Block Configuration element present or all properties set to true
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_PUBLIC_WRITE_PROHIBITED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_buckets_public_write_prohibited = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
+]
+
+rule S3_BUCKET_PUBLIC_WRITE_PROHIBITED when %s3_buckets_public_write_prohibited !empty {
+  %s3_buckets_public_write_prohibited.Properties.PublicAccessBlockConfiguration exists
+  %s3_buckets_public_write_prohibited.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true
+  %s3_buckets_public_write_prohibited.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true
+  %s3_buckets_public_write_prohibited.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls == true
+  %s3_buckets_public_write_prohibited.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2,2.2.2    
+    Violation: S3 Bucket Public Write Access controls need to be restricted.
+    Fix: Set S3 Bucket PublicAccessBlockConfiguration properties for BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets parameters to true.
+  >>
+}
+## Config Rule Name : sagemaker-notebook-no-direct-internet-access
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
+#
+# Description:
+#    Checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address.  
+#
+# Reports on:
+#    AWS::EC2::Subnet
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no EC2 Subnet resource present
+# b) PASS: when all EC2 Subnet resources have the MapPublicIpOnLaunch property set to false or it is missing (default false)
+# c) FAIL: when any EC2 Subnet resources have the MapPublicIpOnLaunch property set to true
+# d) SKIP: hen metadata includes the suppression for rule SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
+
+#
+# Select all EC2 Subnet resources from incoming template (payload)
+#
+let ec2_subnets_auto_assign_public_ip_disabled = Resources.*[ Type == 'AWS::EC2::Subnet' 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED"
+]
+
+rule SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED when %ec2_subnets_auto_assign_public_ip_disabled !empty {
+	%ec2_subnets_auto_assign_public_ip_disabled.Properties.MapPublicIpOnLaunch !exists
+  OR %ec2_subnets_auto_assign_public_ip_disabled.Properties.MapPublicIpOnLaunch == false
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    Violation: VPCs should not have subnets that are assigned a public IP address.
+    Fix: remove the MapPublicIpOnLaucnh property or set it to false
+	>>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED
+#
+# Description:
+#   Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Public Access Block Configuration element is present and properties are set to true
+# c) FAIL: when all S3 resources do not have the Public Access Block Configuration element present or all properties set to true
+# d) SKIP: when metada has rule suppression for S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_buckets_level_public_access_prohibited = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED"
+]
+
+rule S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED when %s3_buckets_level_public_access_prohibited !empty {
+  %s3_buckets_level_public_access_prohibited.Properties.PublicAccessBlockConfiguration exists
+  %s3_buckets_level_public_access_prohibited.Properties.PublicAccessBlockConfiguration.BlockPublicAcls == true
+  %s3_buckets_level_public_access_prohibited.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy == true
+  %s3_buckets_level_public_access_prohibited.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls == true
+  %s3_buckets_level_public_access_prohibited.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,1.3.4,1.3.6,2.2.2    
+    Violation: S3 Bucket Public Access controls need to be restricted.
+    Fix: Set S3 Bucket PublicAccessBlockConfiguration properties for BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets parameters to true.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    NO_UNRESTRICTED_ROUTE_TO_IGW
+#
+# Description:
+#    Checks if there are public routes in the route table to an Internet Gateway (IGW). 
+#
+# Reports on:
+#    AWS::EC2::Route
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no EC2 Route resources are present
+# b) SKIP: when there are no EC2 Routes to an Internet Gateway (no GatewayId property)
+# c) PASS: when all EC2 Routes to an Internet Gateway have a restricted destination CIDR block (not '0.0.0.0/0' or '::/0')
+# d) FAIL: when any EC2 Routes to an Internet Gateway have a destination CIDR block of '0.0.0.0/0' or '::/0' 
+# e) SKIP: hen metadata includes the suppression for rule NO_UNRESTRICTED_ROUTE_TO_IGW
+
+#
+# Select all EC2 Route resources from incoming template (payload)
+#
+let routes_no_unrestricted_to_igw = Resources.*[ Type == 'AWS::EC2::Route' 
+	Properties.GatewayId exists
+	Metadata.guard.SuppressedRules not exists or	
+  Metadata.guard.SuppressedRules.* != "NO_UNRESTRICTED_ROUTE_TO_IGW"
+]
+
+rule NO_UNRESTRICTED_ROUTE_TO_IGW when %routes_no_unrestricted_to_igw !empty {
+	%routes_no_unrestricted_to_igw {
+		Properties {
+			DestinationCidrBlock not in ['0.0.0.0/0', '::/0']
+			<<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.2.1,1.3,1.3.1,1.3.2,2.2.2    
+				Violation: EC2 Routes to an IGW cannot have a destination CIDR block of '0.0.0.0/0' or '::/0' 
+				Fix: Remove routes to an IGW (with the GatewayId property defined) or modify the DestinationCidrBlock property to a more restricted CIDR block
+			>>
+		}
+	}
+}
+    ## Config Rule Name : autoscaling-launch-config-public-ip-disabled
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED.html"
+
+####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED
+#
+# Description:
+#    Checks if Amazon Redshift cluster has 'enhancedVpcRouting' enabled.
+#
+# Reports on:
+#   AWS::Redshift::Cluster
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no Redshift Cluster resource present
+# b) PASS: when Redshift Cluster resources have property EnhancedVpcRouting set to true 
+# c) FAIL: when any Redshift Cluster resources do not have EnhancedVpcRouting property set (defualt false)
+# d) FAIL: when any Redshift Cluster resources have EnhancedVpcRouting property set to false 
+# e) SKIP: when metadata includes the suppression for rule REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED
+
+#
+# Select all Redshift Cluster resources from incoming template (payload)
+#
+let redhshift_enhanced_vpc_routing_enabled_clusters = Resources.*[ Type == 'AWS::Redshift::Cluster' 
+	Metadata.guard.SuppressedRules not exists or
+    Metadata.guard.SuppressedRules.* != "REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED"
+]
+
+rule REDSHIFT_ENHANCED_VPC_ROUTING_ENABLED when %redhshift_enhanced_vpc_routing_enabled_clusters !empty {
+    %redhshift_enhanced_vpc_routing_enabled_clusters.Properties.EnhancedVpcRouting == true
+
+    <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 1.2,1.3,1.3.1,1.3.2    
+			Violation: Enhanced VPC Routing must be enabled on Redshift clusters 
+			Fix: set the EnhancedVpcRouting property to true
+    >>
+}
+    ## Config Rule Name : autoscaling-group-elb-healthcheck-required
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html"
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
+#
+# Description:
+#   Checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
+#
+# Reports on:
+#    AWS::AutoScaling::AutoScalingGroup
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources ObjectLockEnabled property is set to true
+# c) FAIL: when all S3 resources do not have the ObjectLockEnabled property is set to true or is missing
+# d) SKIP: when metada has rule suppression for S3_BUCKET_DEFAULT_LOCK_ENABLED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
+#
+# Description:
+#   Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs.
+#   The trail is non-compliant if the CloudWatchLogsLogGroupArn property of the trail is empty.
+#
+# Reports on:
+#    AWS::CloudTrail::Trail
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no CloudTrail Trails present
+# b) PASS: when all CloudTrail Trails have CloudWatchLogsLogGroupArn parameter set
+# c) FAIL: when there are CloudTrail Trails with CloudWatchLogsLogGroupArn property not present
+# d) SKIP: when metada has rule suppression for CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
+
+#
+# Select all CloudTrail Trail resources from incoming template (payload)
+#
+let cloudtrail_trails_cw_logs_enabled = Resources.*[ Type == 'AWS::CloudTrail::Trail'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED"
+]
+
+rule CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED when %cloudtrail_trails_cw_logs_enabled !empty {
+  %cloudtrail_trails_cw_logs_enabled.Properties.CloudWatchLogsLogGroupArn exists
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6,10.5.3,10.5.4    
+    Violation: CloudTrail Trail should have logs exported to cloudwatch logs.
+    Fix: Set the CloudWatchLogsLogGroupArn parameter to enable exporting to CloudWatch Logs.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    CLOUD_TRAIL_ENCRYPTION_ENABLED
+#
+# Description:
+#   Checks if AWS CloudTrail is configured to use the server side encryption (SSE)
+#   AWS Key Management Service KMS key encryption.
+#
+# Reports on:
+#    AWS::CloudTrail::Trail
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no CloudTrail Trails present
+# b) PASS: when all CloudTrail Trails have KMSKeyId parameter set
+# c) FAIL: when there are CloudTrail Trails with KMSKeyId property not present
+# d) SKIP: when metada has rule suppression for CLOUD_TRAIL_ENCRYPTION_ENABLED
+
+#
+# Select all CloudTrail Trail resources from incoming template (payload)
+#
+let cloudtrail_trails_encryption = Resources.*[ Type == 'AWS::CloudTrail::Trail'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "CLOUD_TRAIL_ENCRYPTION_ENABLED"
+]
+
+rule CLOUD_TRAIL_ENCRYPTION_ENABLED when %cloudtrail_trails_encryption !empty {
+  %cloudtrail_trails_encryption.Properties.KMSKeyId EXISTS
+  %cloudtrail_trails_encryption.Properties.KMSKeyId is_string
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,3.4,10.5    
+    Violation: CloudTrail Trail should be used to encrypt logs delivered by CloudTrail.
+    Fix: Set the KMSKeyId parameter to enable encryption. The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
+#
+# Description:
+#   Checks whether AWS CloudTrail creates a signed digest file with logs.
+#
+# Reports on:
+#    AWS::CloudTrail::Trail
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no CloudTrail Trails present
+# b) PASS: when all CloudTrail Trails have EnableLogFileValidation parameter set true
+# c) FAIL: when there are CloudTrail Trails with the EnableLogFileValidation parameter is set to false
+# d) FAIL: when there are CloudTrail Trails with EnableLogFileValidation property not present
+# e) SKIP: when metada has rule suppression for CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
+
+
+#
+# Select all CloudTrail Trail resources from incoming template (payload)
+#
+let cloudtrail_trails_log_validation = Resources.*[ Type == 'AWS::CloudTrail::Trail'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED"
+]
+
+rule CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED when %cloudtrail_trails_log_validation !empty {
+  %cloudtrail_trails_log_validation.Properties.EnableLogFileValidation EXISTS
+  %cloudtrail_trails_log_validation.Properties.EnableLogFileValidation == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,10.5.2,10.5,10.5.5,11.5    
+    Violation: CloudTrail Trail should have Log File Validation enabled.
+    Fix: Set the EnableLogFileValidation parameter to true.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    CLOUDTRAIL_S3_DATAEVENTS_ENABLED
+#
+# Description:
+#   Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.
+#
+# Reports on:
+#    AWS::CloudTrail::Trail
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no CloudTrail Trails present
+# b) PASS: when all CloudTrail Trails have EventSelectors parameter set
+# c) FAIL: when there are CloudTrail Trails with EventSelectors property not present
+# d) SKIP: when metada has rule suppression for CLOUDTRAIL_S3_DATAEVENTS_ENABLED
+
+#
+# Select all CloudTrail Trail resources from incoming template (payload)
+#
+let cloudtrail_trails_dataevents = Resources.*[ Type == 'AWS::CloudTrail::Trail'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "CLOUDTRAIL_S3_DATAEVENTS_ENABLED"
+]
+
+rule CLOUDTRAIL_S3_DATAEVENTS_ENABLED when %cloudtrail_trails_dataevents !empty {
+  %cloudtrail_trails_dataevents.Properties.EventSelectors EXISTS
+  some %cloudtrail_trails_dataevents.Properties.EventSelectors.* == {DataResources:[{Type:'AWS::S3::Object',Values:['arn:aws:s3:::']}],IncludeManagementEvents:true,ReadWriteType:'All'}
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6    
+    Violation: CloudTrail Trail should have data events being logged.
+    Fix: Set the EventSelectors parameter to enable encryption. The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
+  >>
+}
+## Config Rule Name : cmk-backing-key-rotation-enabled
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    EC2_EBS_ENCRYPTION_BY_DEFAULT
+#
+# Description:
+#    Check that Amazon Elastic Block Store (EBS) encryption is enabled by default
+# Reports on:
+#    AWS::EC2::Volume
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no EC2 Volume resources are present
+# b) PASS: when all EC2 Volume resources have the Encrypted property set to true
+# c) FAIL: when any EC2 Volumes resources do not have the Encrypted property set to true
+# e) SKIP: when metadata includes the suppression for rule EC2_EBS_ENCRYPTION_BY_DEFAULT
+
+#
+# Select all EC2 Volume resources from incoming template (payload)
+#
+let ec2_ebs_volumes_encrypted_by_default = Resources.*[ Type == 'AWS::EC2::Volume' 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_EBS_ENCRYPTION_BY_DEFAULT"
+]
+
+rule EC2_EBS_ENCRYPTION_BY_DEFAULT when %ec2_ebs_volumes_encrypted_by_default !empty {
+    %ec2_ebs_volumes_encrypted_by_default.Properties.Encrypted == true 
+		<<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,3.4,8.2.1    
+			Violation: All EBS Volumes should be encryped 
+			Fix: Set Encrypted property to true
+		>>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    ENCRYPTED_VOLUMES
+#
+# Description:
+#    Checks if the EBS volumes that are in an attached state are encrypted. 
+#
+# Reports on:
+#    AWS::EC2::Volume
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no EBS volume resources present
+# b) PASS: when all EBS volumes have the KmsKeyId property set or the Encrypted property set to true 
+# c) FAIL: when any EC2 volumes do not have the KmsKeyId or Encrypted property set
+# e) SKIP: hen metadata includes the suppression for rule ENCRYPTED_VOLUMES
+
+#
+# Select all EC2 Instance resources from incoming template (payload)
+#
+let ebs_volumes_encrypted = Resources.*[ Type == 'AWS::EC2::Volume' 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "ENCRYPTED_VOLUMES"
+]
+
+rule ENCRYPTED_VOLUMES when %ebs_volumes_encrypted !empty {
+  %ebs_volumes_encrypted.Properties.KmsKeyId !empty
+	OR %ebs_volumes_encrypted.Properties.Encrypted == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,3.4,8.2.1    
+    Violation: EBS volumes in an attached state must encrypted.
+    Fix: either set the KmsKeyId property to a key ID, key alias, key ARN, or alias ARN 
+		or set the Encrypted property to true to encrypt the volume with the account default key or AWS managed key. 
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#   IAM_NO_INLINE_POLICY_CHECK 
+#
+# Description:
+#   Checks that inline policy feature is not in use.
+#
+# Reports on:
+#   AWS::IAM::User
+#   AWS::IAM::Role
+#   AWS::IAM::Group
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no IAM Users, Roles, or Groups present
+# b) PASS: when all IAM Users, Roles, or Groups present have no inline policies listed
+# c) FAIL: when any IAM Users, Roles, or Groups present have inline policies listed
+# d) SKIP: when metada has rule suppression for IAM_NO_INLINE_POLICY_CHECK
+
+#
+# Select all IAM User, Role, and Group resources from incoming template (payload)
+#
+let aws_iam_entities_no_inline_policy = Resources.*[
+  Type in [ /AWS::IAM::User/,
+            /AWS::IAM::Role/,
+            /AWS::IAM::Group/ ]
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "IAM_NO_INLINE_POLICY_CHECK"
+]
+
+rule IAM_NO_INLINE_POLICY_CHECK when %aws_iam_entities_no_inline_policy !empty {
+  %aws_iam_entities_no_inline_policy.Properties.Policies empty
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,7.1.2,7.1.3,7.2.1,7.2.2    
+    Violation: Inline policies are not allowed on IAM Users, Roles, or Groups.
+    Fix: Remove the Policies list property from any IAM Users, Roles, or Groups.
+  >>
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#   IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
+#
+# Description:
+#   Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources. 
+#
+# Reports on:
+#   AWS::IAM::Policy
+#
+# Evaluates:
+#   AWS CloudFormation
+#
+# Rule Parameters:
+#   NA
+#
+# Scenarios:
+# a) SKIP: when there are no IAM Policies present
+# b) PASS: when all IAM Policies do not grant permissions to all actions on all resources
+# c) FAIL: when any IAM Policies grant permissions to all actions on all resources
+# d) SKIP: when metada has rule suppression for IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
+
+#
+# Select all IAM Policy resources from incoming template (payload)
+# 
+let aws_iam_policies_no_statements_with_admin_access = Resources.*[ Type == 'AWS::IAM::Policy' 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"
+]
+
+rule IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS when %aws_iam_policies_no_statements_with_admin_access !empty {
+  let violations = Resources.*[
+    Type == 'AWS::IAM::Policy' 
+    some Properties.PolicyDocument.Statement[*] {
+      some Action[*] == "*"
+      Effect == "Allow"
+      Resource == "*"
+    }
+  ]
+  %violations empty
+	<<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,7.1.2,7.1.3,7.2.1,7.2.2    
+    Violation: One or more IAM policies contain allow statements that grant permissions to all actions on all resources
+    Fix: Remove policy statements that match {"Effect": "Allow", "Action": "*", "Resource": "*"}
+  >>
+} 
+
+
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#   IAM_USER_NO_POLICIES_CHECK
+#
+# Description:
+#   Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. 
+#
+# Reports on:
+#   AWS::IAM::User
+#
+# Evaluates:
+#   AWS CloudFormation
+#
+# Rule Parameters:
+#   NA
+#
+# Scenarios:
+# a) SKIP: when there are no IAM Users present
+# b) PASS: when all IAM Users do not have policies attached
+# c) FAIL: when any IAM User have policies attached
+# d) SKIP: when metada has rule suppression for IAM_USER_NO_POLICIES_CHECK
+
+#
+# Select all IAM User resources from incoming template (payload)
+# 
+let aws_iam_users_no_policies = Resources.*[ Type == 'AWS::IAM::User'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "IAM_USER_NO_POLICIES_CHECK" 
+]
+
+rule IAM_USER_NO_POLICIES_CHECK when %aws_iam_users_no_policies !empty {
+  %aws_iam_users_no_policies.Properties.Policies empty
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,7.1.2,7.1.3,7.2.1,7.2.2    
+  	Violation: Inline policies are not allowed on IAM Users. IAM users must inherit permissions from IAM groups or roles.
+  	Fix: Remove the Policies list property from any IAM Users. 
+  >>
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_LOGGING_ENABLED
+#
+# Description:
+#   Checks whether logging is enabled for your S3 buckets.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Logging Configuration exists
+# c) FAIL: when all S3 resources have Logging Configuration is not set
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_LOGGING_ENABLED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+
+let s3_buckets_bucket_logging_enabled = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_LOGGING_ENABLED"
+]
+
+rule S3_BUCKET_LOGGING_ENABLED when %s3_buckets_bucket_logging_enabled  !empty {
+  %s3_buckets_bucket_logging_enabled.Properties.LoggingConfiguration exists
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.2.7,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6    
+    Violation: S3 Bucket Logging needs to be configured to enable logging.
+    Fix: Set the S3 Bucket property LoggingConfiguration to start logging into S3 bucket.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_REPLICATION_ENABLED
+#
+# Description:
+#   Checks whether the Amazon S3 buckets have cross-region replication enabled.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources replication configuration set status is set to Enabled
+# c) FAIL: when all S3 resources have Versioning Configuration status property not set or set to Suspended
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_REPLICATION_ENABLED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+
+let s3_buckets_replication_enabled = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_REPLICATION_ENABLED"
+]
+
+rule S3_BUCKET_REPLICATION_ENABLED when %s3_buckets_replication_enabled !empty {
+  %s3_buckets_replication_enabled.Properties.ReplicationConfiguration exists
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,10.5.3    
+    Violation: S3 Bucket replication should be enabled.
+    Fix: Set S3 Bucket ReplicationConfiguration to another S3 Bucket.
+  >>
+    ## TODO regex to identify cross-region
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
+#
+# Description:
+#   Checks if your Amazon S3 bucket either has the Amazon S3 default encryption enabled or that the Amazon S3 bucket policy
+#   explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Bucket Encryption ServerSideEncryptionByDefault is set to either "aws:kms" or "AES256"
+# c) FAIL: when all S3 resources have Bucket Encryption ServerSideEncryptionByDefault is not set or does not have "aws:kms" or "AES256" configurations
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+
+let s3_buckets_server_side_encryption = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
+]
+
+rule S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED when %s3_buckets_server_side_encryption !empty {
+  %s3_buckets_server_side_encryption.Properties.BucketEncryption exists
+  %s3_buckets_server_side_encryption.Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in ["aws:kms","AES256"]
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,3.4,8.2.1,10.5    
+    Violation: S3 Bucket must enable server-side encryption.
+    Fix: Set the S3 Bucket property BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm to either "aws:kms" or "AES256"
+  >>
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_SSL_REQUESTS_ONLY
+#
+# Description:
+#   Checks if Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
+#
+# Reports on:
+#    AWS::S3::BucketPolicy
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 Bucket Policy Document resource present
+# b) PASS: when all S3 Bucket Policy Document set to deny if condition SecureTransport not true
+# c) FAIL: when all S3 Bucket Policy Document does not have deny on insecure transport actions
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_SSL_REQUESTS_ONLY
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_buckets_policies_ssl_requests_only = Resources.*[ Type == 'AWS::S3::BucketPolicy'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_SSL_REQUESTS_ONLY"
+]
+
+rule S3_BUCKET_SSL_REQUESTS_ONLY when %s3_buckets_policies_ssl_requests_only !empty {
+  some %s3_buckets_policies_ssl_requests_only.Properties.PolicyDocument.Statement.* == {"Action":"s3:*","Effect":"Deny","Principal":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":false}}}
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,4.1,8.2.1    
+    Violation: Bucket policies must feature a statement to enforce TLS usage.
+    Fix: Set a bucket policy statement to '"Action":"s3:*","Effect":"Deny","Principal":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":false}}' .
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    EC2_INSTANCE_PROFILE_ATTACHED
+#
+# Description:
+#    Checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. 
+#
+# Reports on:
+#    AWS::EC2::Instance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when no EC2 Instance resources are present 
+# b) PASS: when all EC2 Instace resources have an associated IAM instance profile 
+# d) FAIL: when any EC2 Instace resources do not have an associated IAM instance profile
+# e) SKIP: hen metadata includes the suppression for rule EC2_INSTANCE_PROFILE_ATTACHED
+
+#
+# Select all EC2 Instance resources from incoming template (payload)
+#
+let ec2_instances_profile_attached = Resources.*[ Type == 'AWS::EC2::Instance' 
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_INSTANCE_PROFILE_ATTACHED"
+]
+
+rule EC2_INSTANCE_PROFILE_ATTACHED when %ec2_instances_profile_attached !empty {
+  %ec2_instances_profile_attached.Properties.IamInstanceProfile EXISTS
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 2.2,7.1.1,7.2.1    
+    Violation: EC2 Instances must have IAM profile attached to it.
+    Fix: Associate the EC2 Instance property IamInstanceProfile with an IAM Instance Profile.
+  >>
+}
+
+## Config Rule Name : alb-http-to-https-redirection-check
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html"
+
+# Rule Intent: Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers.
+
+# Expectations:
+# a) SKIP: when there are no ALB resources present
+# b) PASS: when one or more HTTP listeners have forwarding to an HTTPS listener
+# c) FAIL: when one of more HTTP listeners have forwarding to an HTTP listener instead of redirection.
+# d) FAIL: when one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured.
+
+
+
+#
+# Select all ALB resources from incoming template (payload)
+#
+
+## Config Rule Name : api-gw-ssl-enabled
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html"
+
+## Config Rule Name : elb-predefined-security-policy-ssl-check
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html"
+
+## Config Rule Name : elb-tls-https-listeners-only
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/elb-tls-https-listeners-only.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    CW_LOGGROUP_RETENTION_PERIOD_CHECK
+#
+# Description:
+#   Checks whether Amazon CloudWatch LogGroup retention
+#   period is set to specific number of days.
+#
+# Reports on:
+#    AWS::Logs::LogGroup
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no cloudwatch logs log group resources present
+# b) PASS: when all cloudwatch logs log group resources property RetentionInDays is set
+# c) FAIL: when all cloudwatch logs log group resources property RetentionInDays is not set with valid value
+# d) SKIP: when metada has rule suppression for CW_LOGGROUP_RETENTION_PERIOD_CHECK
+
+#
+# Select all cloudwatch logs log group resources from incoming template (payload)
+#
+let cloudwatch_logs_retention_period = Resources.*[ Type == 'AWS::Logs::LogGroup'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
+]
+
+rule CW_LOGGROUP_RETENTION_PERIOD_CHECK when %cloudwatch_logs_retention_period !empty {
+  %cloudwatch_logs_retention_period.Properties.RetentionInDays IN [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.1,10.7    
+    Violation: CloudWatch Log LogsGroup does not have RetentionInDays set.
+    Fix: Set the RetentionInDays parameter to a value of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, or 3653.
+  >>
+}
+## Config Rule Name : api-gw-cache-enabled-and-encrypted
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    CLOUDWATCH_LOG_GROUP_ENCRYPTED
+#
+# Description:
+#   Checks if a log group in Amazon CloudWatch Logs is encrypted with a
+#   AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
+#
+# Reports on:
+#    AWS::Logs::LogGroup
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no cloudwatch logs log group resources present
+# b) PASS: when all cloudwatch logs log group resources property KmsKeyId is set
+# c) FAIL: when all cloudwatch logs log group resources property KmsKeyId is not set with valid value
+# d) SKIP: when metada has rule suppression for CLOUDWATCH_LOG_GROUP_ENCRYPTED
+
+#
+# Select all cloudwatch logs log group resources from incoming template (payload)
+#
+let cloudwatch_logs = Resources.*[ Type == 'AWS::Logs::LogGroup'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "CLOUDWATCH_LOG_GROUP_ENCRYPTED"
+]
+
+rule CLOUDWATCH_LOG_GROUP_ENCRYPTED when %cloudwatch_logs !empty {
+  %cloudwatch_logs.Properties.KmsKeyId exists
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4    
+    Violation: CloudWatch Log LogsGroup does not have KmsKeyId set.
+    Fix: Set the KmsKeyId parameter to a ARN.
+  >>
+}
+
+## Config Rule Name : dynamodb-table-encrypted-kms
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-table-encrypted-kms.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    EFS_ENCRYPTED_CHECK
+#
+# Description:
+#   Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data
+#   using AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the encrypted
+#   key is set to false on DescribeFileSystems or if the KmsKeyId key on DescribeFileSystems
+#   does not match the KmsKeyId parameter.
+#
+# Reports on:
+#    AWS::EFS::FileSystem
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no EFS resource present
+# b) PASS: when all EFS resources have encrypted key property set to true
+# c) FAIL: when all EFS resources have encrypted key property not set or set to false
+# d) SKIP: when guard metadata states EFS_ENCRYPTED_CHECK to be suppressed
+
+#
+# Select all EFS resources from incoming template (payload)
+#
+let efs_file_systems_encrypted_check = Resources.*[ Type == 'AWS::EFS::FileSystem'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EFS_ENCRYPTED_CHECK"
+]
+
+rule EFS_ENCRYPTED_CHECK when %efs_file_systems_encrypted_check !empty {
+  %efs_file_systems_encrypted_check.Properties.Encrypted == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4,8.2.1    
+    Violation: EFS filesystem must be encrypted.
+    Fix: Set the EFS Filesystem property Encrypted parameter to true.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    ELASTICSEARCH_ENCRYPTED_AT_REST
+#
+# Description:
+#   Elasticsearch domains must enforce server side encryption
+#
+# Reports on:
+#    AWS::Elasticsearch::Domain
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there is no elasticsearch domain present
+# b) FAIL: when elasticsearch domain has server side encryption set to false
+# c) PASS: when elasticsearch domain has server side encryption set to true
+# d) FAIL: when elasticsearch domain has server side encryption property is missing
+# e) SKIP: when metada has rule suppression for ELASTICSEARCH_ENCRYPTED_AT_REST
+
+#
+# Select all elasticsearch domains from incoming template
+#
+let elasticsearch_domains_encrypted = Resources.*[ Type == 'AWS::Elasticsearch::Domain'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "ELASTICSEARCH_ENCRYPTED_AT_REST"
+]
+
+rule ELASTICSEARCH_ENCRYPTED_AT_REST when %elasticsearch_domains_encrypted !empty {
+  %elasticsearch_domains_encrypted.Properties.EncryptionAtRestOptions.Enabled == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4,8.2.1    
+    Violation: Elasticsearch domains must enforce server side encryption.
+    Fix: Set the EncryptionAtRestOptions.Enabled parameter to true.
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    RDS_SNAPSHOT_ENCRYPTED
+#
+# Description:
+#    Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.
+#
+#
+# Reports on:
+#    AWS::RDS::DBInstance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no RDS instances present
+# b) PASS: when all RDS instances have StorageEncrypted set to true
+# c) FAIL: when all RDS instances have StorageEncrypted set to false
+# d) FAIL: when there are RDS instances with StorageEncrypted property is not present
+# e) SKIP: when metadata includes the suppression for rule RDS_SNAPSHOT_ENCRYPTED
+
+#
+# Select all RDS instance resources from incoming template (payload)
+#
+let aws_rds_instances_snapshot_encrypted = Resources.*[ Type == 'AWS::RDS::DBInstance'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RDS_SNAPSHOT_ENCRYPTED"
+]
+
+
+rule RDS_SNAPSHOT_ENCRYPTED when %aws_rds_instances_snapshot_encrypted !empty {
+  %aws_rds_instances_snapshot_encrypted.Properties.StorageEncrypted EXISTS
+  %aws_rds_instances_snapshot_encrypted.Properties.StorageEncrypted == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4,8.2.1    
+    Violation: All RDS instances must have snapshots encrypted.
+    Fix: Set the StorageEncrypted parameter to true so by default all snapshots are encrypted.
+  >>
+}
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    RDS_STORAGE_ENCRYPTED
+#
+# Description:
+#    Checks whether storage encryption is enabled for your RDS DB instances.
+#
+#
+# Reports on:
+#    AWS::RDS::DBInstance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no RDS instances present
+# b) PASS: when all RDS instances have StorageEncrypted set to true
+# c) FAIL: when all RDS instances have StorageEncrypted set to false
+# d) FAIL: when there are RDS instances with StorageEncrypted property is not present
+# e) SKIP: when metadata includes the suppression for rule RDS_STORAGE_ENCRYPTED
+
+#
+# Select all RDS instance resources from incoming template (payload)
+#
+let aws_rds_instances_storage_encrypted = Resources.*[ Type == 'AWS::RDS::DBInstance'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RDS_STORAGE_ENCRYPTED"
+]
+
+
+rule RDS_STORAGE_ENCRYPTED when %aws_rds_instances_storage_encrypted !empty {
+  %aws_rds_instances_storage_encrypted.Properties.StorageEncrypted EXISTS
+  %aws_rds_instances_storage_encrypted.Properties.StorageEncrypted == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4,8.2.1    
+    Violation: All RDS instances must have encrypted storage.
+    Fix: Set the StorageEncrypted parameter to true.
+  >>
+}
+
+####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    REDSHIFT_CLUSTER_CONFIGURATION_CHECK
+#
+# Description:
+#    Checks whether Amazon Redshift clusters have the specified settings (Encrypted Only)  
+#
+# Reports on:
+#   AWS::Redshift::Cluster
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no Redshift Cluster resource present
+# b) PASS: when Redshift Cluster resources have the Encrypted property set to true
+# c) FAIL: when any Redshift Cluster resources do not have Encrypted property set (default false)
+# d) FAIL: when any Redshift Cluster resources have Encrypted property set to false 
+# e) SKIP: when metadata includes the suppression for rule REDSHIFT_CLUSTER_CONFIGURATION_CHECK
+
+#
+# Select all Redshift Cluster resources from incoming template (payload)
+#
+let redhshift_clusters_configuration_check = Resources.*[ Type == 'AWS::Redshift::Cluster' 
+	Metadata.guard.SuppressedRules not exists or
+    Metadata.guard.SuppressedRules.* != "REDSHIFT_CLUSTER_CONFIGURATION_CHECK"
+]
+
+rule REDSHIFT_CLUSTER_CONFIGURATION_CHECK when %redhshift_clusters_configuration_check !empty {
+    %redhshift_clusters_configuration_check.Properties.Encrypted == true
+
+    <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4,8.2.1,10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6    
+			Violation: Amazon Redshift configuration should have encryption enabled
+			Fix: Set the Encrypted property to true 
+    >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_DEFAULT_ENCRYPTION_KMS
+#
+# Description:
+#   Checks whether the Amazon S3 buckets are encrypted with AWS Key Management Service(AWS KMS).
+#   The rule is NON_COMPLIANT if the Amazon S3 bucket is not encrypted with AWS KMS key.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources have ServerSideEncryptionConfiguration property set with values of "aws:kms" or "AES256"
+# c) FAIL: when all S3 resources have ServerSideEncryptionConfiguration property not set or values are not "aws:kms" or "AES256"
+# d) SKIP: when metadata includes the suppression for rule S3_DEFAULT_ENCRYPTION_KMS
+
+#
+# Assignments
+#
+let s3_buckets_s3_default_encryption = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_DEFAULT_ENCRYPTION_KMS"
+]
+
+rule S3_DEFAULT_ENCRYPTION_KMS when %s3_buckets_s3_default_encryption !empty {
+  %s3_buckets_s3_default_encryption.Properties.BucketEncryption exists
+  %s3_buckets_s3_default_encryption.Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in ["aws:kms","AES256"]
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 3.4,8.2.1,10.5    
+    Violation: S3 Bucket default encryption must be set.
+    Fix: Set the S3 Bucket property BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm to either "aws:kms" or "AES256"
+  >>
+}
+
+## Config Rule Name : sagemaker-endpoint-configuration-kms-key-configured
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-configuration-kms-key-configured.html"
+
+## Config Rule Name : sagemaker-notebook-instance-kms-key-configured
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html"
+
+## Config Rule Name : secretsmanager-using-cmk
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html"
+
+## Config Rule Name : kms-cmk-not-scheduled-for-deletion
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/kms-cmk-not-scheduled-for-deletion.html"
+
+## Config Rule Name : acm-certificate-expiration-check
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
+
+## Config Rule Name : alb-http-drop-invalid-header-enabled
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
+#
+# Description:
+#   Elasticsearch domains must enforce Node-to-Node Encryption
+#
+# Reports on:
+#    AWS::Elasticsearch::Domain
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there is no elasticsearch domain present
+# b) FAIL: when elasticsearch domain has Node-to-Node encryption set to false
+# c) PASS: when elasticsearch domain has Node-to-Node encryption set to true
+# d) FAIL: when elasticsearch domain has Node-to-Node encryption property missing
+# e) SKIP: when metada has rule suppression for ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
+
+#
+# Select all elasticsearch domains from incoming template
+#
+
+let elasticsearch_domains_node2node_encrpytion = Resources.*[ Type == 'AWS::Elasticsearch::Domain'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK"
+]
+
+rule ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK when %elasticsearch_domains_node2node_encrpytion !empty {
+  %elasticsearch_domains_node2node_encrpytion.Properties.NodeToNodeEncryptionOptions.Enabled == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 4.1    
+    Violation: Elasticsearch domains must enforce Node-to-Node Encryption.
+    Fix: Set the NodeToNodeEncryptionOptions.Enabled parameter to true.
+  >>
+}
+
+## Config Rule Name : elb-acm-certificate-required
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html"
+
+## Config Rule Name : elbv2-acm-certificate-required
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED
+#
+# Description:
+#    Checks whether storage encryption is enabled for your RDS DB instances
+#
+# Reports on:
+#    AWS::RDS::DBInstance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no RDS instances present
+# b) PASS: when all RDS instances have AutoMinorVersionUpgrade set to true
+# c) FAIL: when all RDS instances have AutoMinorVersionUpgrade set to false
+# d) FAIL: when there are RDS instances with AutoMinorVersionUpgrade property is not present
+# e) SKIP: when metadata includes the suppression for rule RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED
+
+#
+# Select all RDS instance resources from incoming template (payload)
+#
+
+let aws_rds_instances_minor_version_upgrade_enabled = Resources.*[ Type == 'AWS::RDS::DBInstance'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED"
+]
+
+
+rule RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED when %aws_rds_instances_minor_version_upgrade_enabled !empty {
+  %aws_rds_instances_minor_version_upgrade_enabled.Properties.AutoMinorVersionUpgrade EXISTS
+  %aws_rds_instances_minor_version_upgrade_enabled.Properties.AutoMinorVersionUpgrade == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 6.2    
+    Violation: All RDS instances must have automatic minor version upgrade enabled.
+    Fix: Set the AutoMinorVersionUpgrade parameter to true.
+  >>
+}
+
+####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK
+#
+# Description:
+#    Checks whether Amazon Redshift clusters have the specified maintenance settings (AllowVersionUpgrade, PreferredMaintenanceWindow, AutomatedSnapshotRetentionPeriod) 
+#
+# Reports on:
+#   AWS::Redshift::Cluster
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no Redshift Cluster resource present
+# b) PASS: when Redshift Cluster resources have properties PreferredMaintenanceWindow set, AllowVersionUpgrade either not set (default true) or set to true, and AutomatedSnapshotRetentionPeriod either not set (default 1 day) or set to greated than 0. 
+# c) FAIL: when any Redshift Cluster resources do not have PreferredMaintenanceWindow property set
+# d) FAIL: when any Redshift Cluster resources have AllowVersionUpgrade property set to false 
+# e) FAIL: when any Redshift Cluster resources have AutomatedSnapshotRetentionPeriod property set to 0
+# f) SKIP: when metadata includes the suppression for rule REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK
+
+#
+# Select all Redshift Cluster resources from incoming template (payload)
+#
+let redhshift_clusters_maintenancesettings_check = Resources.*[ Type == 'AWS::Redshift::Cluster' 
+	Metadata.guard.SuppressedRules not exists or
+    Metadata.guard.SuppressedRules.* != "REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK"
+]
+
+rule REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK when %redhshift_clusters_maintenancesettings_check !empty {
+    %redhshift_clusters_maintenancesettings_check.Properties.PreferredMaintenanceWindow exists
+    
+    %redhshift_clusters_maintenancesettings_check.Properties.AllowVersionUpgrade not exists or 
+    %redhshift_clusters_maintenancesettings_check.Properties.AllowVersionUpgrade == true
+
+
+    %redhshift_clusters_maintenancesettings_check.Properties.AutomatedSnapshotRetentionPeriod not exists or 
+    %redhshift_clusters_maintenancesettings_check.Properties.AutomatedSnapshotRetentionPeriod > 0
+
+    <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 6.2    
+			Violation: Amazon Redshift maintenance settings must be configured
+			Fix: set the PreferredMaintenanceWindow property, remove the AllowVersionUpgrade property (default true) or set it to true, and remove the AutomatedSnapshotRetentionPeriod property (default 1 day) or set it to greated than 0. 
+    >>
+}
+## Config Rule Name : alb-waf-enabled
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html"
+
+    ## Config Rule Name : api-gw-associated-with-waf
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/API_GW_ASSOCIATED_WITH_WAF.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#   IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS
+#
+# Description:
+#   Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources.
+#
+# Reports on:
+#   AWS::IAM::ManagedPolicy
+#
+# Evaluates:
+#   AWS CloudFormation
+#
+# Rule Parameters:
+#   NA
+#
+# Scenarios:
+# a) SKIP: when there are no IAM Managed Policies present
+# b) PASS: when all IAM Managed Policies do not allows full access to at least 1 AWS service
+# c) FAIL: when any IAM Managed Policies allows full access to at least 1 AWS service.
+# d) SKIP: when metada has rule suppression for IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS
+
+#
+# Select all IAM Managed Policy resources from incoming template (payload)
+# 
+let aws_iam_managed_policies_no_statements_with_full_access = Resources.*[ Type == 'AWS::IAM::ManagedPolicy'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS" 
+]
+
+rule IAM_POLICY_NO_STATEMENTS_WITH_FULL_ACCESS when %aws_iam_managed_policies_no_statements_with_full_access !empty {
+  let violations = Resources.*[
+    Type == 'AWS::IAM::ManagedPolicy' 
+    some Properties.PolicyDocument.Statement[*] {
+      some Action[*] in ["*", /^[a-zA-Z0-9]*:\*$/]
+      Effect == "Allow"
+      Resource == "*"
+    }
+  ]
+  %violations empty
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 7.1.2,7.1.3,7.2.1,7.2.2    
+    Violation: One or more IAM Managed Policies allow full access to at least 1 AWS service
+    Fix: Remove policy statements that match {"Effect": "Allow", "Action": "<service-name>:*" ... } or {"Effect": "Allow", "Action": "*" ... }
+  >>
+} 
+    ## Config Rule Name : emr-kerberos-enabled
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/EMR_KERBEROS_ENABLED.html"
+
+## Config Rule Name : s3-bucket-policy-grantee-check
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy-grantee-check.html
+
+# Rule Intent: Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide.
+
+    ## Config Rule Name : ecs-task-definition-user-for-host-mode-check
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK.html"
+
+    ## Config Rule Name : codebuild-project-envvar-awscred-check
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html"
+
+    ## Config Rule Name : codebuild-project-source-repo-url-check
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html"
+
+## Config Rule Name : sns-encrypted-kms
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html"
+
+## Config Rule Name : api-gw-execution-logging-enabled
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html"
+
+## Config Rule Name : elb-logging-enabled
+## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    RDS_INSTANCE_LOGGING_ENABLED
+#
+# Description:
+#    Checks if log types exported to Amazon CloudWatch for an Amazon Relational
+#    Database Service (Amazon RDS) instance are enabled.
+#
+# Reports on:
+#    AWS::RDS::DBInstance
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no RDS instances present
+# b) PASS: when all RDS instances have EnableCloudwatchLogsExports set to true
+# c) FAIL: when all RDS instances have EnableCloudwatchLogsExports set to false
+# d) FAIL: when there are RDS instances with EnableCloudwatchLogsExports property is not present
+# e) SKIP: when metadata includes the suppression for rule RDS_INSTANCE_LOGGING_ENABLED
+
+#
+# Select all RDS instance resources from incoming template (payload)
+#
+
+let aws_rds_instances_logging_enabled = Resources.*[ Type == 'AWS::RDS::DBInstance'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RDS_INSTANCE_LOGGING_ENABLED"
+]
+
+
+rule RDS_INSTANCE_LOGGING_ENABLED when %aws_rds_instances_logging_enabled !empty {
+  %aws_rds_instances_logging_enabled.Properties.EnableCloudwatchLogsExports EXISTS
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6    
+    Violation: Enable CloudWatch Logs Exports for monitoring and logging.
+    Fix: Provide EnableCloudWatchLogsExports object to start exporting cloudwatch logs.
+  >>
+}
+
+
+    ## Config Rule Name : wafv2-logging-enabled
+    ## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html"
+
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    ELASTICSEARCH_LOGS_TO_CLOUDWATCH
+#
+# Description:
+#   Checks if Amazon OpenSearch Service (OpenSearch Service) domains are
+#   configured to send logs to Amazon CloudWatch Logs.
+#
+# Reports on:
+#    AWS::Elasticsearch::Domain
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there is no elasticsearch domain present
+# b) FAIL: when elasticsearch domain does not have LogPublishingOptions or Enabled parameter is set to false for all available keys
+# c) PASS: when elasticsearch domain has LogPublishingOptions with Enabled parameter is set to true on one key
+# d) SKIP: when metada has rule suppression for ELASTICSEARCH_LOGS_TO_CLOUDWATCH
+
+#
+# Select all elasticsearch domains from incoming template
+#
+
+let elasticsearch_domains_logs_cloudwatch = Resources.*[ Type == 'AWS::Elasticsearch::Domain'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "ELASTICSEARCH_LOGS_TO_CLOUDWATCH"
+]
+
+rule ELASTICSEARCH_LOGS_TO_CLOUDWATCH when %elasticsearch_domains_logs_cloudwatch !empty {
+
+  %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions EXISTS
+  %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled == true OR
+  %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled == true OR
+  %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled == true
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 10.1,10.2.1,10.2.2,10.2.3,10.2.4,10.2.5,10.3.1,10.3.2,10.3.3,10.3.4,10.3.5,10.3.6    
+    Violation: Elasticsearch domain must have logging configured to send logs to CloudWatch Logs.
+    Fix: Set a LogPublishingOptions object to have the property "Enabled" parameter set to true for keys "ES_APPLICATION_LOGS", "SEARCH_SLOW_LOGS", or "INDEX_SLOW_LOGS".
+  >>
+}
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_VERSIONING_ENABLED
+#
+# Description:
+#   Checks if versioning is enabled for your S3 buckets.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Versioning Configuration status is set to Enabled
+# c) FAIL: when all S3 resources have Versioning Configuration status property not set or set to Suspended
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_VERSIONING_ENABLED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+let s3_buckets_versioning_enabled = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_VERSIONING_ENABLED"
+]
+
+rule S3_BUCKET_VERSIONING_ENABLED when %s3_buckets_versioning_enabled !empty {
+  %s3_buckets_versioning_enabled.Properties.VersioningConfiguration exists
+  %s3_buckets_versioning_enabled.Properties.VersioningConfiguration.Status == 'Enabled'
+  <<
+    Guard Rule Set: PCI-DSS-3-2-1
+    Controls: 10.5.3    
+    Violation: S3 Bucket Versioning must be enabled.
+    Fix: Set the S3 Bucket property VersioningConfiguration.Status to 'Enabled' .
+  >>
+}