YAML Control Details
This page is the reference for all YAML control files of the WAF Framework. The YAML files contain machine-readable checks that can be executed directly against Terraform code by the WAF Checker Tool.
Pillar 1 · Security – WAF-SEC
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
Identity & Access Management Baseline |
🔴 Critical |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
IAM |
|
Least Privilege & RBAC Enforcement |
🔴 Critical |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
IAM |
|
Encryption at Rest with CMK |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Encryption |
|
Encryption in Transit – TLS Enforcement |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Encryption |
|
Network Segmentation & Security Group Hardening |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Network Security |
|
Secrets Management – No Hardcoded Credentials |
🔴 Critical |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Secrets |
|
Vulnerability & Patch Management |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Vulnerability Management |
|
Security Monitoring & Threat Detection |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Monitoring |
|
Policy-as-Code & Compliance Automation |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Compliance |
|
Incident Response Readiness |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Incident Response |
|
Supply Chain Security & SBOM |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Supply Chain |
|
Container & Runtime Security |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Container Security |
|
Data Classification & Sensitive Data Protection |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Data Protection |
Pillar 2 · Cost Optimization – WAF-COST
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
Cost Allocation Tagging Enforced |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Cost Allocation |
|
Cost Budgets & Alerting Configured |
🟠 High |
AWS, Azure |
Budget Control |
|
Resource Rightsizing & Idle Detection |
🟡 Medium |
AWS, Azure, StackIT, OVH, Hetzner |
Resource Optimization |
|
Storage & Retention Lifecycle Defined |
🟠 High |
AWS |
Retention Management |
|
Cost Impact Assessment in ADRs |
🟠 High |
Any (Governance) |
Architectural Cost Debt |
|
FinOps Review Cadence |
🟡 Medium |
Any (Governance) |
FinOps Governance |
|
Observability & Logging Cost Tiers |
🟡 Medium |
AWS |
Observability Cost |
|
Commitment & Reserved Capacity Planning |
🟡 Medium |
AWS, Azure |
Cost Optimization |
|
Data Transfer & Egress Cost Management |
🟠 High |
AWS |
Data Transfer |
|
Architectural Cost Debt Register & Quarterly Review |
🟡 Medium |
Any (Governance) |
Architectural Cost Debt |
Pillar 3 · Operational Excellence – WAF-OPS
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
CI/CD Pipeline Defined & Automated |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
CI/CD |
|
Infrastructure as Code Enforced |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
IaC |
|
Observability Stack Configured |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Observability |
|
Alerting on Symptoms, Not Causes |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Alerting |
|
Change Management & Deployment Risk Assessment |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Change Management |
|
Runbook & Operational Documentation Coverage |
🟡 Medium |
Any (Governance) |
Documentation |
|
Post-Incident Review Process |
🟡 Medium |
Any (Governance) |
Incident Response |
|
Feature Flag & Safe Deployment Patterns |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Deployment |
|
Configuration Drift Detection & Remediation |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Drift Detection |
|
Operational Debt Register & Review |
🟡 Medium |
Any (Governance) |
Operational Debt |
Pillar 4 · Reliability – WAF-REL
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
SLO & SLA Definition Documented |
🔴 Critical |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
SLO |
|
Health Checks & Readiness Probes Configured |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Health Checks |
|
Multi-AZ High Availability Deployment |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
High Availability |
|
Backup & Recovery Validation |
🔴 Critical |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Backup |
|
Circuit Breaker & Timeout Configuration |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Resilience |
|
Incident Response & Runbook Readiness |
🟠 High |
Any (Governance) |
Incident Response |
|
Disaster Recovery Testing |
🟠 High |
Any (Governance) |
DR |
|
Dependency & Upstream Resilience Management |
🟡 Medium |
Any (Governance) |
Dependencies |
|
Chaos Engineering & Fault Injection |
🟡 Medium |
Any (Governance) |
Chaos |
|
Reliability Debt Register & Quarterly Review |
🟡 Medium |
Any (Governance) |
Reliability Debt |
Pillar 5 · Performance Efficiency – WAF-PERF
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
Compute Instance Type & Sizing Validated |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Compute |
|
Auto-Scaling Configured & Tested |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Auto-Scaling |
|
Caching Strategy Defined & Implemented |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Caching |
|
Database Performance Baseline & Index Strategy |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Database |
|
Performance Monitoring & SLO Definition |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Monitoring |
|
Load & Stress Testing in CI/CD Pipeline |
🟡 Medium |
Any (Governance) |
Testing |
|
Network Latency & Topology Optimization |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Network |
|
Serverless & Managed Services for Variable Load |
🟡 Low |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Serverless |
|
Storage I/O Performance & Throughput Optimization |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Storage |
|
Performance Debt Register & Quarterly Review |
🟡 Medium |
Any (Governance) |
Performance Debt |
Pillar 6 · Sustainability – WAF-SUS
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
Carbon Footprint Measurement & Reporting |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Carbon |
|
Energy-Efficient Compute Selection |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Compute |
|
Green Region & Carbon-Aware Workload Placement |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Regions |
|
Idle & Underutilized Resource Elimination |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Efficiency |
|
Storage Lifecycle & Data Minimization |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Storage |
|
Workload Scheduling & Time-Shifting |
🟡 Low |
Any (Governance) |
Scheduling |
|
Sustainable Software Design Standards |
🟡 Medium |
Any (Governance) |
Software |
|
Network & Data Transfer Efficiency |
🟡 Medium |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
Network |
|
ESG Reporting & Compliance Automation |
🟡 Medium |
Any (Governance) |
Compliance |
|
Sustainability Debt Register & Quarterly Review |
🟡 Low |
Any (Governance) |
Sustainability Debt |
Pillar 7 · Sovereign – WAF-SOV
| Control ID | Title | Severity | Provider | Checks |
|---|---|---|---|---|
Data Residency Policy Defined |
🟠 High |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
4 |
|
Region Pinning Enforced (IaC) |
🔴 Critical |
AWS, Azure, GCP, StackIT, OVH, Hetzner |
5 |
|
Backup Location & Retention Controlled |
🟠 High |
AWS, Azure, StackIT, OVH, Hetzner |
6 |
|
Logging & Telemetry Residency Controlled |
🟠 High |
AWS, StackIT, OVH, Hetzner |
5 |
|
Key Ownership & Management Defined |
🔴 Critical |
AWS, Azure, StackIT, OVH, Hetzner |
6 |
|
Privileged Access Controlled (Separation of Duties) |
🔴 Critical |
AWS, StackIT |
4 |
|
Break-Glass Process & Logging |
🟠 High |
AWS, StackIT, OVH, Hetzner |
5 |
|
Dependency & Subprocessor Inventory |
🟡 Medium |
Any (AWS, Azure, GCP, StackIT, OVH, Hetzner) |
4 |
|
Controlled Egress & Data Exfiltration Guardrails |
🟠 High |
AWS, Azure, StackIT, OVH, Hetzner |
5 |
|
Exit Plan & Portability Tested |
🟡 Medium |
AWS, Any (includes StackIT, OVH, Hetzner) |
5 |
Check Operator Reference
The YAML controls use the following op values in assertions:
| Operator | Meaning |
|---|---|
|
The attribute exists (not null/unset) |
|
The attribute is not empty (no empty string) |
|
Value exactly matches the |
|
Value does not match the |
|
Value is contained in the allowed list |
|
Value is not contained in the forbidden list |
|
Boolean value is |
|
Boolean value is |
|
Numeric value is greater than |
|
Numeric value is greater than or equal to |
|
Numeric value is less than or equal to |
|
Value does not match the regular expression in |
|
Value matches the regular expression in |
|
Dictionary/Map contains the key |
|
A block of this type exists |
|
Another resource exists that references this object |
|
JSON string does not contain a pattern (regex-based) |
WAF-SEC – Details
WAF-SEC-010 – Identity & Access Management Baseline
File: controls/WAF-SEC-010.yml
Checks verify: root account secured with MFA, IAM password policy, IMDSv2 for EC2, no long-lived access keys.
WAF-SEC-020 – Least Privilege & RBAC Enforcement
File: controls/WAF-SEC-020.yml
Checks verify: no Action: * with Resource: * policies, no AdministratorAccess for application roles, permission boundaries configured.
WAF-SEC-030 – Encryption at Rest with CMK
File: controls/WAF-SEC-030.yml
Checks verify: S3 uses aws:kms (CMK, not AES256), EBS volumes encrypted, RDS storage encrypted, KMS key rotation enabled.
WAF-SEC-040 – Encryption in Transit – TLS Enforcement
File: controls/WAF-SEC-040.yml
Checks verify: ALB enforces HTTPS with TLS 1.2+, CloudFront minimum protocol TLSv1.2, API Gateway with TLS, RDS connections with TLS.
WAF-SEC-050 – Network Segmentation & Security Group Hardening
File: controls/WAF-SEC-050.yml
Checks verify: no security group with port 22/3389 open to 0.0.0.0/0, no unrestricted ingress rules, RDS not publicly accessible, VPC flow logs enabled.
WAF-SEC-060 – Secrets Management – No Hardcoded Credentials
File: controls/WAF-SEC-060.yml
Checks verify: no plaintext passwords in defaults, ECS task definitions use secrets not environment, Secrets Manager rotation configured, no private keys in Terraform.
WAF-SEC-070 – Vulnerability & Patch Management
File: controls/WAF-SEC-070.yml
Checks verify: ECR scan-on-push enabled, ECR image tag immutability, Inspector enabled (optional).
WAF-SEC-080 – Security Monitoring & Threat Detection
File: controls/WAF-SEC-080.yml
Checks verify: GuardDuty enabled, CloudTrail multi-region with log validation, CloudTrail S3 not public, alarms for root login and IAM changes.
WAF-SEC-090 – Policy-as-Code & Compliance Automation
File: controls/WAF-SEC-090.yml
Checks verify: required Terraform version pinned, required provider versions pinned.
WAF-SEC-100 – Incident Response Readiness
File: controls/WAF-SEC-100.yml
Checks verify: Config recorder enabled, S3 access logging enabled, CloudTrail multi-region enabled.
WAF-SEC-110 – Supply Chain Security & SBOM
File: controls/WAF-SEC-110.yml
Checks verify: lockfile present, SBOM generation in CI, image signing step (Cosign).
WAF-COST – Details
WAF-COST-010 – Cost Allocation Tagging Enforced
File: controls/WAF-COST-010.yml
Checks verify: mandatory tags (cost-center, owner, environment, workload) on compute, storage, and database resources. CI gate blocks resources without complete tagging.
WAF-COST-020 – Cost Budgets & Alerting Configured
File: controls/WAF-COST-020.yml
Checks verify: aws_budgets_budget with alert thresholds (80%, 100%); azurerm_consumption_budget_resource_group; google_billing_budget per billing account.
WAF-COST-030 – Resource Rightsizing & Idle Detection
File: controls/WAF-COST-030.yml
Checks verify: compute resources carry rightsizing-reviewed tag with date; no persistent deployment without rightsizing documentation.
WAF-COST-040 – Storage & Retention Lifecycle Defined
File: controls/WAF-COST-040.yml
Checks verify: S3 buckets have lifecycle_rule; CloudWatch Log Groups retention_in_days set and > 0; Azure Storage Lifecycle Policy; GCP Bucket Lifecycle Rules.
WAF-COST-050 – Cost Impact Assessment in ADRs
File: controls/WAF-COST-050.yml
Governance control (procedural). Checks verify: ADR files contain a cost-impact section with TCO estimate, lock-in score (1–5), data transfer costs, operational effort, and exit costs.
WAF-COST-060 – FinOps Review Cadence
File: controls/WAF-COST-060.yml
Governance control. Checks verify: monthly engineering review and quarterly architecture board review documented with action items tracked.
WAF-COST-070 – Observability & Logging Cost Tiers
File: controls/WAF-COST-070.yml
Checks verify: CloudWatch Log Groups retention_in_days ⇐ 365 for operational logs (no infinite); tiering tag log-tier (hot/warm/cold/archive) present; no DEBUG level in production without explicit sampling rate.
WAF-COST-080 – Commitment & Reserved Capacity Planning
File: controls/WAF-COST-080.yml
Checks verify: baseline compute instances carry capacity-commitment tag with reserved or savings-plan. On-demand-only deployments flagged as optimization candidates.
WAF-OPS – Details
WAF-OPS-010 – CI/CD Pipeline Defined & Automated
File: controls/WAF-OPS-010.yml
Checks verify: pipeline definitions stored in version control; all deployments automated; branch protection enabled; approval gates configured.
WAF-OPS-020 – Infrastructure as Code Enforced
File: controls/WAF-OPS-020.yml
Checks verify: all production infrastructure defined as IaC; manual changes restricted via IAM/SCP; remote state backend with locking; all IaC changes through pull request review.
WAF-OPS-030 – Observability Stack Configured
File: controls/WAF-OPS-030.yml
Checks verify: services emit structured JSON logs with trace ID; distributed tracing configured; RED metrics exported; log retention >= 30 days.
WAF-OPS-040 – Alerting on Symptoms, Not Causes
File: controls/WAF-OPS-040.yml
Checks verify: alerts based on symptom metrics (error rate, latency, availability); every paging alert has runbook URL; SLOs defined for critical services.
WAF-OPS-050 – Change Management & Deployment Risk Assessment
File: controls/WAF-OPS-050.yml
Checks verify: change categories defined; high-risk changes require multi-person approval; deployment freeze policies configured; change records linked to artifacts.
WAF-OPS-060 – Runbook & Operational Documentation Coverage
File: controls/WAF-OPS-060.yml
Checks verify: all paging alerts linked to runbooks; runbooks versioned and reviewed quarterly; runbook coverage >= 90% for critical services.
WAF-OPS-070 – Post-Incident Review Process
File: controls/WAF-OPS-070.yml
Checks verify: SEV-1/P1 incidents and SLO violations trigger postmortem; postmortems blameless with action items tracked; completed within 5 business days.
WAF-OPS-080 – Feature Flag & Safe Deployment Patterns
File: controls/WAF-OPS-080.yml
Checks verify: production deployments use Canary, Blue/Green, or Feature Flags; rollback possible in < 5 minutes; new features deployed behind feature flags.
WAF-REL – Details
WAF-REL-010 – SLA & SLO Definition Documented
File: controls/WAF-REL-010.yml
Checks verify: SLO document versioned; error budget calculated; burn rate alerts configured; quarterly review evidenced.
WAF-REL-020 – Health Checks & Readiness Probes Configured
File: controls/WAF-REL-020.yml
Checks verify: ALB target group health check configured; Azure LB probe with request_path; GCP compute health check with HTTP path.
WAF-REL-030 – Multi-AZ High Availability Deployment
File: controls/WAF-REL-030.yml
Checks verify: RDS multi_az = true; ASG with min >= 2 and multi-AZ subnets; Azure DB with ZoneRedundant HA; Cloud SQL REGIONAL availability.
WAF-REL-040 – Backup & Recovery Validation
File: controls/WAF-REL-040.yml
Checks verify: RDS backup_retention_period >= 7, deletion_protection = true; S3 versioning = Enabled; Azure DB backup configuration; Cloud SQL backup + PITR enabled.
WAF-REL-050 – Circuit Breaker & Timeout Configuration
File: controls/WAF-REL-050.yml
Checks verify: ALB idle_timeout explicitly set; Azure App Gateway request_timeout; Cloud Run timeout_seconds configured.
WAF-REL-060 – Incident Response & Runbook Readiness
File: controls/WAF-REL-060.yml
Checks verify: CloudWatch alarms with alarm_actions and ok_actions; Azure Monitor action group with recipients; GCP alert policy with notification channels.
WAF-REL-070 – Disaster Recovery Testing
File: controls/WAF-REL-070.yml
Checks verify: Route 53 health check failover; Azure Traffic Manager failover; GCP DNS with TTL ⇐ 60s.
WAF-REL-080 – Dependency & Upstream Resilience Management
File: controls/WAF-REL-080.yml
Checks verify: VPC endpoints for AWS API isolation; Azure private endpoints; GCP private_ip_google_access enabled.
WAF-PERF – Details
WAF-PERF-010 – Compute Instance Type & Sizing Validated
File: controls/WAF-PERF-010.yml
Checks verify: no previous-generation instance types (t2, m4, c4); Azure VMs with current size; GCP N2/C2 instead of N1.
WAF-PERF-020 – Auto-Scaling Configured & Tested
File: controls/WAF-PERF-020.yml
Checks verify: ASG min >= 1, max >= 2, health check configured; Azure Monitor Autoscale Settings; GCP autoscaler with policy.
WAF-PERF-030 – Caching Strategy Defined & Implemented
File: controls/WAF-PERF-030.yml
Checks verify: ElastiCache with automatic failover; Azure Redis Premium SKU; GCP Memorystore with HA tier.
WAF-PERF-040 – Database Performance Baseline & Index Strategy
File: controls/WAF-PERF-040.yml
Checks verify: RDS Performance Insights enabled; Azure SQL Query Insights; GCP Cloud SQL Query Insights enabled.
WAF-PERF-050 – Performance Monitoring & SLO Definition
File: controls/WAF-PERF-050.yml
Checks verify: P99 latency alarm with actions; Application Insights with retention >= 30 days; Monitoring uptime check with alert policy.
WAF-PERF-060 – Load & Stress Testing in CI/CD Pipeline
File: controls/WAF-PERF-060.yml
Checks verify: CodePipeline with performance test stage; Azure DevOps pipeline with perf gate; Cloud Build trigger with performance steps.
WAF-PERF-070 – Network Latency & Topology Optimization
File: controls/WAF-PERF-070.yml
Checks verify: Gateway VPC endpoint for S3; Azure CDN or Front Door; Cloud CDN enabled.
WAF-PERF-080 – Serverless & Managed Services for Variable Load
File: controls/WAF-PERF-080.yml
Checks verify: Lambda with explicit memory, timeout, reserved concurrency; Azure Premium or Dedicated plan; Cloud Run min instances > 0.
WAF-SUS – Details
WAF-SUS-010 – Carbon Footprint Measurement & Reporting
File: controls/WAF-SUS-010.yml
Checks verify: Cloud provider carbon footprint tools activated; emission data linked to workload tags; retained for ESG reporting.
WAF-SUS-020 – Energy-Efficient Compute Selection
File: controls/WAF-SUS-020.yml
Checks verify: ARM64/Graviton instances preferred; Lambda functions use arm64; no previous-generation instance families.
WAF-SUS-030 – Green Region & Carbon-Aware Workload Placement
File: controls/WAF-SUS-030.yml
Checks verify: region selection considers carbon intensity; sustainable aspects documented; batch workloads evaluate green regions.
WAF-SUS-040 – Idle & Underutilized Resource Elimination
File: controls/WAF-SUS-040.yml
Checks verify: compute resources monitored for utilization; resources with < 5% CPU for 14+ days flagged; non-production scheduled shutdown policies.
WAF-SUS-050 – Storage Lifecycle & Data Minimization
File: controls/WAF-SUS-050.yml
Checks verify: S3, EBS, Azure Blob, GCS lifecycle policies; data transitioned to cold tiers; log data retention limits; temporary data expiration dates.
WAF-SUS-060 – Workload Scheduling & Time-Shifting
File: controls/WAF-SUS-060.yml
Checks verify: batch workloads scheduled for off-peak hours; flexible time windows activated; carbon intensity APIs integrated.
WAF-SUS-070 – Sustainable Software Design Standards
File: controls/WAF-SUS-070.yml
Checks verify: software designed with energy efficiency as quality attribute; ADRs include energy efficiency considerations; SCI measured for critical workloads.
WAF-SUS-080 – Network & Data Transfer Efficiency
File: controls/WAF-SUS-080.yml
Checks verify: CDN for user-facing static content; HTTP compression enabled; VPC endpoints for AWS service communication.
WAF-SOV – Details
WAF-SOV-010 – Data Residency Policy Defined
File: controls/WAF-SOV-010.yml
Checks verify: data residency tagging on resources; explicit region/location attributes in provider blocks.
WAF-SOV-020 – Region Pinning Enforced (IaC)
File: controls/WAF-SOV-020.yml
Checks verify: explicit region in provider blocks; validation blocks in region/location variables; no hardcoded non-sovereign regions.
WAF-SOV-030 – Backup Location & Retention Controlled
File: controls/WAF-SOV-030.yml
Checks verify: RDS/Aurora backup_retention_period >= 7; DynamoDB PITR enabled; backup vault in approved region; S3 versioning for backup buckets.
WAF-SOV-040 – Logging & Telemetry Residency Controlled
File: controls/WAF-SOV-040.yml
Checks verify: CloudTrail multi-region with log file validation; CloudWatch Log Group retention not 0 and >= 30 days; VPC Flow Logs enabled.
WAF-SOV-050 – Key Ownership & Management Defined
File: controls/WAF-SOV-050.yml
Checks verify: KMS key rotation enabled; deletion window >= 14 days; S3 uses aws:kms (not AES256); EBS and RDS storage encrypted; Azure Key Vault with purge protection.
WAF-SOV-060 – Privileged Access Controlled (Separation of Duties)
File: controls/WAF-SOV-060.yml
Checks verify: no IAM policy combining Action:* and Resource:*; no AdministratorAccess on regular roles; IAM password policy configured; no long-lived access keys.
WAF-SOV-070 – Break-Glass Process & Logging
File: controls/WAF-SOV-070.yml
Checks verify: CloudTrail multi-region, log validation, global events; CloudTrail S3 not public; CloudWatch alarm for root account activity; alarm for IAM policy changes.
WAF-SOV-080 – Dependency & Subprocessor Inventory
File: controls/WAF-SOV-080.yml
Checks verify: all required_providers with version constraint; required_version set; module versions pinned; no unapproved Git modules.