YAML Control Details
This page is the reference for all YAML control files of the WAF Framework. The YAML files contain machine-readable checks that can be executed directly against Terraform code by the WAF Checker Tool.
Pillar 2 · Cost Optimization – WAF-COST
| Control ID | Title | Severity | Provider | Category |
|---|---|---|---|---|
Cost Allocation Tagging Enforced |
🟠 High |
AWS, Azure, GCP |
Cost Allocation |
|
Cost Budgets & Alerting Configured |
🟠 High |
AWS, Azure, GCP |
Budget Control |
|
Resource Rightsizing & Idle Detection |
🟡 Medium |
AWS, Azure, GCP |
Resource Optimization |
|
Storage & Retention Lifecycle Defined |
🟠 High |
AWS, Azure, GCP |
Retention Management |
|
Cost Impact Assessment in ADRs |
🟠 High |
Any (Governance) |
Architectural Cost Debt |
|
FinOps Review Cadence |
🟡 Medium |
Any (Governance) |
FinOps Governance |
|
Observability & Logging Cost Tiers |
🟡 Medium |
AWS, Azure, GCP |
Observability Cost |
|
Commitment & Reserved Capacity Planning |
🟡 Medium |
AWS, Azure, GCP |
Cost Optimization |
|
Data Transfer & Egress Cost Management |
🟠 High |
AWS, Azure, GCP |
Data Transfer |
|
Architectural Cost Debt Register & Quarterly Review |
🟡 Medium |
Any (Governance) |
Architectural Cost Debt |
Pillar 7 · Sovereign – WAF-SOV
| Control ID | Title | Severity | Provider | Checks |
|---|---|---|---|---|
Data Residency Policy Defined |
🟠 High |
AWS, Azure, GCP |
4 |
|
Region Pinning Enforced (IaC) |
🔴 Critical |
AWS, Azure, GCP |
5 |
|
Backup Location & Retention Controlled |
🟠 High |
AWS, Azure |
6 |
|
Logging & Telemetry Residency Controlled |
🟠 High |
AWS |
5 |
|
Key Ownership & Management Defined |
🔴 Critical |
AWS, Azure |
6 |
|
Privileged Access Controlled (Separation of Duties) |
🔴 Critical |
AWS |
4 |
|
Break-Glass Process & Logging |
🟠 High |
AWS |
5 |
|
Dependency & Subprocessor Inventory |
🟡 Medium |
Any |
4 |
|
Controlled Egress & Data Exfiltration Guardrails |
🟠 High |
AWS, Azure |
5 |
|
Exit Plan & Portability Tested |
🟡 Medium |
AWS, Any |
5 |
WAF-COST – Details
WAF-COST-010 – Cost Allocation Tagging Enforced
File: controls/WAF-COST-010.yml | Narrative: WAF-COST-010
Checks verify: mandatory tags (cost-center, owner, environment, workload) on compute, storage,
and database resources for AWS, Azure, and GCP. CI gate blocks resources without complete tagging.
WAF-COST-020 – Cost Budgets & Alerting Configured
File: controls/WAF-COST-020.yml | Narrative: WAF-COST-020
Checks verify: aws_budgets_budget with alert thresholds (80%, 100%); azurerm_consumption_budget_resource_group;
google_billing_budget per billing account. No environment without a defined budget.
WAF-COST-030 – Resource Rightsizing & Idle Detection
File: controls/WAF-COST-030.yml | Narrative: WAF-COST-030
Checks verify: compute resources carry a rightsizing-reviewed tag with a date; no persistent
deployment without rightsizing documentation. Complementary automation via AWS Compute Optimizer / Azure Advisor.
WAF-COST-040 – Storage & Retention Lifecycle Defined
File: controls/WAF-COST-040.yml | Narrative: WAF-COST-040
Checks verify: S3 buckets must have a lifecycle_rule defined; CloudWatch Log Groups
retention_in_days must be set and > 0; Azure Storage Lifecycle Policy; GCP Bucket Lifecycle Rules.
No infinite retention without an explicit compliance justification.
WAF-COST-050 – Cost Impact Assessment in ADRs
File: controls/WAF-COST-050.yml | Narrative: WAF-COST-050
Governance control (procedural). Checks verify: ADR files in the repository contain a
cost-impact section with a TCO estimate, lock-in score (1–5), data transfer costs, operational effort,
and exit costs. Missing cost section = violation (Architectural Cost Debt).
WAF-COST-060 – FinOps Review Cadence
File: controls/WAF-COST-060.yml | Narrative: WAF-COST-060
Governance control. Checks verify: monthly engineering review and quarterly architecture board review are documented (meeting notes in the repository); action items tracked with owner and due date.
WAF-COST-070 – Observability & Logging Cost Tiers
File: controls/WAF-COST-070.yml | Narrative: WAF-COST-070
Checks verify: CloudWatch Log Groups retention_in_days ⇐ 365 for operational logs (no infinite);
tiering tag log-tier (hot/warm/cold/archive) present; no DEBUG level in production
without an explicit sampling rate.
WAF-COST-080 – Commitment & Reserved Capacity Planning
File: controls/WAF-COST-080.yml | Narrative: WAF-COST-080
Checks verify: baseline compute instances (persistent workload) carry a capacity-commitment tag
with the value reserved or savings-plan. On-demand-only deployments without a commitment tag are flagged
as optimization candidates.
WAF-COST-090 – Data Transfer & Egress Cost Management
File: controls/WAF-COST-090.yml | Narrative: WAF-COST-090
Checks verify: VPC Endpoint for S3 present in AWS VPCs; no direct internet gateway routes
for internal compute resources; CDN resource (aws_cloudfront_distribution / Azure CDN /
google_compute_backend_bucket) configured for public-facing storage.
WAF-COST-100 – Architectural Cost Debt Register & Quarterly Review
File: controls/WAF-COST-100.yml | Narrative: WAF-COST-100
Governance control. Checks verify: file cost-debt-register.yml present in the repository;
each entry contains owner, annual_impact_eur, status, and resolution_date;
quarterly review entry for the current quarter with architecture board sign-off present.
Check Operator Reference
The YAML controls use the following op values in assertions:
| Operator | Meaning |
|---|---|
|
The attribute exists (not null/unset) |
|
The attribute is not empty (no empty string) |
|
Value exactly matches the |
|
Value does not match the |
|
Value is contained in the allowed list |
|
Value is not contained in the forbidden list |
|
Boolean value is |
|
Boolean value is |
|
Numeric value is greater than |
|
Numeric value is greater than or equal to |
|
Numeric value is less than or equal to |
|
Value does not match the regular expression in |
|
Value matches the regular expression in |
|
Dictionary/Map contains the key |
|
A block of this type exists |
|
Another resource exists that references this object |
|
JSON string does not contain a pattern (regex-based) |
WAF-SOV-010 – Data Residency Policy Defined
File: controls/WAF-SOV-010.yml
Checks verify: data residency tagging on resources; explicit region/location attributes in provider blocks for AWS, Azure, and GCP.
WAF-SOV-020 – Region Pinning Enforced (IaC)
File: controls/WAF-SOV-020.yml
Checks verify: explicit region in provider blocks; validation blocks in region/location variables; no hardcoded non-sovereign regions.
WAF-SOV-030 – Backup Location & Retention Controlled
File: controls/WAF-SOV-030.yml
Checks verify: RDS/Aurora backup_retention_period >= 7; DynamoDB PITR enabled; backup vault in approved region; S3 versioning for backup buckets.
WAF-SOV-040 – Logging & Telemetry Residency Controlled
File: controls/WAF-SOV-040.yml
Checks verify: CloudTrail multi-region with log file validation; CloudWatch Log Group retention not 0 and >= 30 days; VPC Flow Logs for all VPCs; CloudWatch integration.
WAF-SOV-050 – Key Ownership & Management Defined
File: controls/WAF-SOV-050.yml
Checks verify: KMS key rotation enabled; deletion window >= 14 days; S3 uses aws:kms (not AES256); EBS and RDS storage encrypted; Azure Key Vault with purge protection.
WAF-SOV-060 – Privileged Access Controlled (Separation of Duties)
File: controls/WAF-SOV-060.yml
Checks verify: no IAM policy combining Action:* and Resource:*; no AdministratorAccess on regular roles; IAM password policy configured; no long-lived access keys.
WAF-SOV-070 – Break-Glass Process & Logging
File: controls/WAF-SOV-070.yml
Checks verify: CloudTrail multi-region, log validation, global events; CloudTrail S3 not public; CloudWatch alarm for root account activity; alarm for IAM policy changes.
WAF-SOV-080 – Dependency & Subprocessor Inventory
File: controls/WAF-SOV-080.yml
Checks verify: all required_providers with version constraint; required_version set; module versions pinned; no unapproved Git modules.