Kanji
・クラウドエンジニア / フリーランス ・1993年生まれ ・愛媛県出身 / 東京都渋谷区在住 ・AWS歴5年 プロフィールの詳細
目次
URLS
SEARCH_STRINGS
FIND_ELEMENT_NAME
FIND_NEXT_SIBLINGS
.output
from datetime import datetime import json import requests import os import sys import logging from bs4 import BeautifulSoup LOG_LEVEL = logging.INFO URLS = [ “https://docs.aws.amazon.com/securityhub/latest/userguide/account-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/appsync-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/athena-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/emr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/pca-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/route53-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/stepfunctions-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html”] SEARCH_STRINGS = { “AWS Config rule”: “code”, “Resource type”: “code”, “Schedule type”: “text”, “Severity”: “text” } FIND_ELEMENT_NAME = “h2” FIND_NEXT_SIBLINGS = “p” class TimeFormatter(logging.Formatter): converter = datetime.fromtimestamp def formatTime(self, record, datefmt=None): dt = self.converter(record.created) if datefmt: s = dt.strftime(datefmt) else: t = dt.strftime(self.default_time_format) s = self.default_msec_format % (t, record.msecs) return s def init_logger(): logger = logging.getLogger(name) log_format_string = json.dumps({ 'logLevel': '%(levelname)s', 'time': '%(asctime)s', 'line': "%(filename)s: %(lineno)d", 'message': '%(message)s', }, indent=None) handler = logging.StreamHandler(sys.stdout) handler.setFormatter((TimeFormatter(log_format_string))) logger.addHandler(handler) logger.propagate = False logger.setLevel(LOG_LEVEL) return logger def main(): logger = init_logger() result = [] for url in URLS: response = requests.get(url) response.encoding = response.apparent_encoding soup = BeautifulSoup(response.text, 'html.parser') find_elements = soup.find_all(FIND_ELEMENT_NAME) for find_element in find_elements: next_siblings = find_element.find_next_siblings(FIND_NEXT_SIBLINGS) entry = {"find_element.text": find_element.text} logger.debug(f"find_element: {find_element}") for search_string, method in SEARCH_STRINGS.items(): for sibling in next_siblings: if search_string in sibling.text: if method == "text": value = sibling.b.next_sibling.strip() entry[search_string] = value logger.debug(f"search_string: {search_string}, value: {value}") break else: value_element = sibling.find(method, {'class': 'code'}) if value_element: entry[search_string] = value_element.text logger.debug(f"search_string: {search_string}, value: {value_element.text}") break if search_string not in entry: entry[search_string] = "Not Found" logger.debug(f"search_string: {search_string}, value: None") result.append(entry) if not os.path.exists('.output'): os.makedirs('.output') now = datetime.now().strftime('%Y%m%d%H%M%S') with open(f'.output/result_{now}.json', 'w', encoding='utf-8') as f: json.dump(result, f, ensure_ascii=False) logger.info(f"Successfully saved the result to .output/result_{now}.json") if name == “main”: main() ## 取得された AWS Security Hub のコントロールのリファレンスのJSONファイル - 実際に取得された JSON ファイルの中身は以下のようになります。 - `Not Found` となっているものがいくつかありますが、`SEARCH_STRINGS` 変数で指定したキーワードが見つからなかった場合に `Not Found` となっています。 <details> <summary>AWS Security Hub のコントロールのリファレンスのJSON</summary> ```json [ { "find_element.text": "[Account.1] Security contact information should be provided for an AWS account", "AWS Config rule": "security-account-information-provided", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "AWS Config rule": "account-part-of-organizations", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period", "AWS Config rule": "acm-certificate-expiration-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered and periodic", "Severity": "Medium" }, { "find_element.text": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "AWS Config rule": "acm-certificate-rsa-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[APIGateway.1] API Gateway REST and WebSocket API execution logging\n should be enabled", "AWS Config rule": "api-gw-execution-logging-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.2] API Gateway REST API stages should be configured to use\n SSL certificates for backend authentication", "AWS Config rule": "api-gw-ssl-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.3] API Gateway REST API stages should have AWS X-Ray\n tracing enabled", "AWS Config rule": "api-gw-xray-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[APIGateway.4] API Gateway should be associated with a WAF Web\n ACL", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.5] API Gateway REST API cache data should be encrypted at\n rest", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.8] API Gateway routes should specify an authorization\n type", "AWS Config rule": "api-gwv2-authorization-type-configured", "Resource type": "AWS::ApiGatewayV2::Route", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[APIGateway.9] Access logging should be configured for API Gateway V2\n Stages", "AWS Config rule": "api-gwv2-access-logs-enabled", "Resource type": "AWS::ApiGatewayV2::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.2] AWS AppSync should have field-level logging enabled", "AWS Config rule": "appsync-logging-enabled", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "AWS Config rule": "appsync-authorization-check", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Athena.1] Athena workgroups should be encrypted at\n rest", "AWS Config rule": "athena-workgroup-encrypted-at-rest", "Resource type": "AWS::Athena::WorkGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Backup.1] AWS Backup recovery points should be encrypted at rest", "AWS Config rule": "backup-recovery-point-encrypted", "Resource type": "AWS::Backup::RecoveryPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)", "AWS Config rule": "cloudformation-stack-notification-check", "Resource type": "AWS::CloudFormation::Stack", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.1] CloudFront distributions should have a default root object configured", "AWS Config rule": "cloudfront-default-root-object-configured", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudFront.3] CloudFront distributions should require encryption in transit", "AWS Config rule": "cloudfront-viewer-policy-https", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.4] CloudFront distributions should have origin failover configured", "AWS Config rule": "cloudfront-origin-failover-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.5] CloudFront distributions should have logging enabled", "AWS Config rule": "cloudfront-accesslogs-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.6] CloudFront distributions should have WAF enabled", "AWS Config rule": "cloudfront-associated-with-waf", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates", "AWS Config rule": "cloudfront-custom-ssl-certificate", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests", "AWS Config rule": "cloudfront-sni-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins", "AWS Config rule": "cloudfront-traffic-to-origin-encrypted", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins", "AWS Config rule": "cloudfront-no-deprecated-ssl-protocols", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "AWS Config rule": "cloudfront-s3-origin-non-existent-bucket", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudFront.13] CloudFront distributions should use origin access control", "AWS Config rule": "cloudfront-s3-origin-access-control-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "AWS Config rule": "multi-region-cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.2] CloudTrail should have encryption at-rest enabled", "AWS Config rule": "cloud-trail-encryption-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.3] CloudTrail should be enabled", "AWS Config rule": "cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.4] CloudTrail log file validation should be enabled", "AWS Config rule": "cloud-trail-log-file-validation-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs", "AWS Config rule": "cloud-trail-cloud-watch-logs-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic and change\n triggered", "Severity": "Critical" }, { "find_element.text": "[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.1] A log metric filter and alarm should exist for usage of the \"root\" user", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudWatch.16] CloudWatch log groups should be retained for a specified time period", "AWS Config rule": "cw-loggroup-retention-period-check", "Resource type": "AWS::Logs::LogGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudWatch.17] CloudWatch alarm actions should be activated", "AWS Config rule": "cloudwatch-alarm-action-enabled-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials", "AWS Config rule": "codebuild-project-source-repo-url-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials", "AWS Config rule": "codebuild-project-envvar-awscred-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.3] CodeBuild S3 logs should be encrypted", "AWS Config rule": "codebuild-project-s3-logs-encrypted", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration", "AWS Config rule": "codebuild-project-logging-enabled", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "AWS Config rule": "codebuild-project-environment-privileged-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Config.1] AWS Config should be enabled", "AWS Config rule": "Not Found", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DMS.1] Database Migration Service replication instances should not be public", "AWS Config rule": "dms-replication-not-public", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[DMS.6] DMS replication instances should have automatic minor version upgrade enabled", "AWS Config rule": "dms-auto-minor-version-upgrade-enabled", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.7] DMS replication tasks for the target database should have logging enabled", "AWS Config rule": "dms-replication-task-targetdb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.8] DMS replication tasks for the source database should have logging enabled", "AWS Config rule": "dms-replication-task-sourcedb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.9] DMS endpoints should use SSL", "AWS Config rule": "dms-endpoint-ssl-configured", "Resource type": "AWS::DMS::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at\n rest", "AWS Config rule": "docdb-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period", "AWS Config rule": "docdb-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public", "AWS Config rule": "docdb-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "docdb-cluster-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled", "AWS Config rule": "docdb-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand", "AWS Config rule": "dynamodb-autoscaling-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled", "AWS Config rule": "dynamodb-pitr-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest", "AWS Config rule": "dax-encryption-enabled", "Resource type": "AWS::DynamoDB::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.4] DynamoDB tables should be present in a backup plan", "AWS Config rule": "dynamodb-resources-protected-by-backup-plan", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.6] DynamoDB tables should have deletion protection enabled", "AWS Config rule": "dynamodb-table-deletion-protection-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.1] ECR private repositories should have image scanning configured", "AWS Config rule": "ecr-private-image-scanning-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ECR.2] ECR private repositories should have tag immutability configured", "AWS Config rule": "ecr-private-tag-immutability-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.3] ECR repositories should have at least one lifecycle policy configured", "AWS Config rule": "ecr-private-lifecycle-policy-configured", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "AWS Config rule": "ecs-task-definition-user-for-host-mode-check", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.3] ECS task definitions should not share the host's process namespace", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.4] ECS containers should run as non-privileged", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.8] Secrets should not be passed as container environment variables", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.9] ECS task definitions should have a logging configuration", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.10] ECS Fargate services should run on the latest Fargate platform version", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.12] ECS clusters should use Container Insights", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.1] Amazon EBS snapshots should not be publicly restorable", "AWS Config rule": "ebs-snapshot-public-restorable-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "AWS Config rule": "vpc-default-security-group-closed", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest", "AWS Config rule": "encrypted-volumes", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.4] Stopped EC2 instances should be removed after a specified time period", "AWS Config rule": "ec2-stopped-instance", "Resource type": "AWS::EC2::Instance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.6] VPC flow logging should be enabled in all VPCs", "AWS Config rule": "vpc-flow-logs-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.7] EBS default encryption should be enabled", "AWS Config rule": "ec2-ebs-encryption-by-default", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "ec2-imdsv2-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "AWS Config rule": "ec2-instance-no-public-ip", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service", "AWS Config rule": "service-vpc-endpoint-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.12] Unused Amazon EC2 EIPs should be removed", "AWS Config rule": "eip-attached", "Resource type": "AWS::EC2::EIP", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "AWS Config rule": "restricted-ssh", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "AWS Config rule": "restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.15] Amazon EC2 subnets should not automatically assign\n public IP addresses", "AWS Config rule": "subnet-auto-assign-public-ip-disabled", "Resource type": "AWS::EC2::Subnet", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.16] Unused Network Access Control Lists should be\n removed", "AWS Config rule": "vpc-network-acl-unused-check", "Resource type": "AWS::EC2::NetworkAcl", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.17] Amazon EC2 instances should not use multiple\n ENIs", "AWS Config rule": "ec2-instance-multiple-eni-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "AWS Config rule": "vpc-sg-open-only-to-authorized-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.19] Security groups should not allow unrestricted\n access to ports with high risk", "AWS Config rule": "vpc-sg-restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN\n connection should be up", "AWS Config rule": "vpc-vpn-2-tunnels-up", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.21] Network ACLs should not allow ingress from\n 0.0.0.0/0 to port 22 or port 3389", "AWS Config rule": "nacl-no-unrestricted-ssh-rdp", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.22] Unused Amazon EC2 security groups should be\n removed", "AWS Config rule": "ec2-security-group-attached-to-eni-periodic", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "AWS Config rule": "ec2-transit-gateway-auto-vpc-attach-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.24] Amazon EC2 paravirtual instance types should not be\n used", "AWS Config rule": "ec2-paravirtual-instance-check", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "AWS Config rule": "ec2-launch-template-public-ip-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.28] EBS volumes should be covered by a backup\n plan", "AWS Config rule": "ebs-resources-protected-by-backup-plan", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled", "AWS Config rule": "ec2-client-vpn-connection-log-enabled", "Resource type": "AWS::EC2::ClientVpnEndpoint", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks", "AWS Config rule": "autoscaling-group-elb-healthcheck-required", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-az", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "autoscaling-launchconfig-requires-imdsv2", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "AWS Config rule": "autoscaling-launch-config-hop-limit", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "AWS Config rule": "autoscaling-launch-config-public-ip-disabled", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-instance-types", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates", "AWS Config rule": "autoscaling-launch-template", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager", "AWS Config rule": "ec2-instance-managed-by-systems-manager", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "AWS Config rule": "ec2-managedinstance-patch-compliance-status-check", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT", "AWS Config rule": "ec2-managedinstance-association-compliance-status-check", "Resource type": "AWS::SSM::AssociationCompliance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SSM.4] SSM documents should not be public", "AWS Config rule": "ssm-document-not-public", "Resource type": "AWS::SSM::Document", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS", "AWS Config rule": "efs-encrypted-check", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.2] Amazon EFS volumes should be in backup plans", "AWS Config rule": "efs-in-backup-plan", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.3] EFS access points should enforce a root directory", "AWS Config rule": "efs-access-point-enforce-root-directory", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EFS.4] EFS access points should enforce a user identity", "AWS Config rule": "efs-access-point-enforce-user-identity", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "AWS Config rule": "eks-endpoint-no-public-access", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "AWS Config rule": "eks-cluster-supported-version", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EKS.8] EKS clusters should have audit logging enabled", "AWS Config rule": "eks-cluster-logging-enabled", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "AWS Config rule": "elasticache-redis-cluster-automatic-backup-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "AWS Config rule": "elasticache-auto-minor-version-upgrade-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled", "AWS Config rule": "elasticache-repl-grp-auto-failover-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest", "AWS Config rule": "elasticache-repl-grp-encrypted-at-rest", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit", "AWS Config rule": "elasticache-repl-grp-encrypted-in-transit", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH", "AWS Config rule": "elasticache-repl-grp-redis-auth-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "AWS Config rule": "elasticache-subnet-group-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled", "AWS Config rule": "beanstalk-enhanced-health-reporting-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "AWS Config rule": "elastic-beanstalk-managed-updates-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "AWS Config rule": "elastic-beanstalk-logs-to-cloudwatch", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS", "AWS Config rule": "alb-http-to-https-redirection-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager", "AWS Config rule": "elb-acm-certificate-required", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination", "AWS Config rule": "elb-tls-https-listeners-only", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.4] Application Load Balancer should be configured to drop http headers", "AWS Config rule": "alb-http-drop-invalid-header-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.5] Application and Classic Load Balancers logging should be enabled", "AWS Config rule": "elb-logging-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.6] Application Load Balancer deletion protection should be enabled", "AWS Config rule": "elb-deletion-protection-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.7] Classic Load Balancers should have connection draining enabled", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled", "AWS Config rule": "elb-cross-zone-load-balancing-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.10] Classic Load Balancer should span multiple Availability Zones", "AWS Config rule": "clb-multiple-az", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "alb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones", "AWS Config rule": "elbv2-multiple-az", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "clb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL", "AWS Config rule": "alb-waf-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "AWS Config rule": "emr-master-no-public-ip", "Resource type": "AWS::EMR::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EMR.2] Amazon EMR block public access setting should be enabled", "AWS Config rule": "emr-block-public-access", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.1] Elasticsearch domains should have encryption at-rest enabled", "AWS Config rule": "elasticsearch-encrypted-at-rest", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ES.2] Elasticsearch domains should not be publicly accessible", "AWS Config rule": "elasticsearch-in-vpc-only", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.3] Elasticsearch domains should encrypt data sent between nodes", "AWS Config rule": "elasticsearch-node-to-node-encryption-check", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "elasticsearch-logs-to-cloudwatch", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.5] Elasticsearch domains should have audit logging enabled", "AWS Config rule": "elasticsearch-audit-logging-enabled", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.6] Elasticsearch domains should have at least three data nodes", "AWS Config rule": "elasticsearch-data-node-fault-tolerance", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached", "AWS Config rule": "custom-schema-registry-policy-attached", "Resource type": "AWS::Events::EventBus", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EventBridge.4] EventBridge global endpoints should have event replication enabled", "AWS Config rule": "global-endpoint-event-replication-enabled", "Resource type": "AWS::Events::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes", "AWS Config rule": "fsx-openzfs-copy-tags-enabled", "Resource type": "AWS::FSx::FileSystem", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[GuardDuty.1] GuardDuty should be enabled", "AWS Config rule": "guardduty-enabled-centralized", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "AWS Config rule": "iam-policy-no-statements-with-admin-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[IAM.2] IAM users should not have IAM policies attached", "AWS Config rule": "iam-user-no-policies-check", "Resource type": "AWS::IAM::User", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.3] IAM users' access keys should be rotated every 90 days or less", "AWS Config rule": "access-keys-rotated", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.4] IAM root user access key should not exist", "AWS Config rule": "iam-root-access-key-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.5] MFA should be enabled for all IAM users that have a console password", "AWS Config rule": "mfa-enabled-for-iam-console-access", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.6] Hardware MFA should be enabled for the root user", "AWS Config rule": "root-account-hardware-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.7] Password policies for IAM users should have strong configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.8] Unused IAM user credentials should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.9] MFA should be enabled for the root user", "AWS Config rule": "root-account-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.10] Password policies for IAM users should have strong AWS Configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.11] Ensure IAM password policy requires at least one uppercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.12] Ensure IAM password policy requires at least one lowercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.13] Ensure IAM password policy requires at least one symbol", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.14] Ensure IAM password policy requires at least one number", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.16] Ensure IAM password policy prevents password reuse", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.17] Ensure IAM password policy expires passwords within 90 days or less", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.18] Ensure a support role has been created to manage incidents with AWS Support", "AWS Config rule": "iam-policy-in-use", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.19] MFA should be enabled for all IAM users", "AWS Config rule": "iam-user-mfa-enabled", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.20] Avoid the use of the root user", "AWS Config rule": "use-of-root-account-test", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services", "AWS Config rule": "iam-policy-no-statements-with-full-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.22] IAM user credentials unused for 45 days should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Kinesis.1] Kinesis streams should be encrypted at rest", "AWS Config rule": "kinesis-stream-encrypted", "Resource type": "AWS::Kinesis::Stream", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys", "AWS Config rule": "iam-customer-policy-blocked-kms-actions", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys", "AWS Config rule": "iam-inline-policy-blocked-kms-actions", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.3] AWS KMS keys should not be deleted unintentionally", "AWS Config rule": "kms-cmk-not-scheduled-for-deletion-2", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[KMS.4] AWS KMS key rotation should be enabled", "AWS Config rule": "cmk-backing-key-rotation-enabled", "Resource type": "AWS::KMS::Key", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Lambda.1] Lambda function policies should prohibit public access", "AWS Config rule": "lambda-function-public-access-prohibited", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Lambda.2] Lambda functions should use supported runtimes", "AWS Config rule": "lambda-function-settings-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Lambda.3] Lambda functions should be in a VPC", "AWS Config rule": "lambda-inside-vpc", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones", "AWS Config rule": "lambda-vpc-multi-az-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Macie.1] Macie should be enabled", "AWS Config rule": "macie-status-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[MSK.1] MSK clusters should be encrypted in transit among broker nodes", "AWS Config rule": "msk-in-cluster-node-require-tls", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[MSK.2] MSK clusters should have enhanced monitoring configured", "AWS Config rule": "msk-enhanced-monitoring-enabled", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.5] ActiveMQ brokers should use active/standby deployment mode", "AWS Config rule": "mq-active-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.6] RabbitMQ brokers should use cluster deployment mode", "AWS Config rule": "mq-rabbit-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.1] Neptune DB clusters should be encrypted at\n rest", "AWS Config rule": "neptune-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.2] Neptune DB clusters should publish audit\n logs to CloudWatch Logs", "AWS Config rule": "neptune-cluster-cloudwatch-log-export-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.3] Neptune DB cluster snapshots should not be\n public", "AWS Config rule": "neptune-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Neptune.4] Neptune DB clusters should have deletion\n protection enabled", "AWS Config rule": "neptune-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.5] Neptune DB clusters should have automated\n backups enabled", "AWS Config rule": "neptune-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.6] Neptune DB cluster snapshots should be\n encrypted at rest", "AWS Config rule": "neptune-cluster-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.7] Neptune DB clusters should have IAM\n database authentication enabled", "AWS Config rule": "neptune-cluster-iam-database-authentication", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.8] Neptune DB clusters should be configured to\n copy tags to snapshots", "AWS Config rule": "neptune-cluster-copy-tags-to-snapshot-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones", "AWS Config rule": "neptune-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones", "AWS Config rule": "netfw-multi-az-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.2] Network Firewall logging should be enabled", "AWS Config rule": "netfw-logging-enabled", "Resource type": "AWS::NetworkFirewall::LoggingConfiguration", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated", "AWS Config rule": "netfw-policy-rule-group-associated", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets", "AWS Config rule": "netfw-policy-default-action-full-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets", "AWS Config rule": "netfw-policy-default-action-fragment-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty", "AWS Config rule": "netfw-stateless-rule-group-not-empty", "Resource type": "AWS::NetworkFirewall::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled", "AWS Config rule": "netfw-deletion-protection-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.1] OpenSearch domains should have encryption at rest enabled", "AWS Config rule": "opensearch-encrypted-at-rest", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.2] OpenSearch domains should not be publicly accessible", "AWS Config rule": "opensearch-in-vpc-only", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Opensearch.3] OpenSearch domains should encrypt data sent between nodes", "AWS Config rule": "opensearch-node-to-node-encryption-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "opensearch-logs-to-cloudwatch", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.5] OpenSearch domains should have audit logging enabled", "AWS Config rule": "opensearch-audit-logging-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.6] OpenSearch domains should have at least three data nodes", "AWS Config rule": "opensearch-data-node-fault-tolerance", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "AWS Config rule": "opensearch-access-control-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2", "AWS Config rule": "opensearch-https-required", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.10] OpenSearch domains should have the latest software update installed", "AWS Config rule": "opensearch-update-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[PCA.1] AWS Private CA root certificate authority should be disabled", "AWS Config rule": "acm-pca-root-ca-disabled", "Resource type": "AWS::ACMPCA::CertificateAuthority", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[RDS.1] RDS snapshot should be private", "AWS Config rule": "rds-snapshots-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration", "AWS Config rule": "rds-instance-public-access-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.3] RDS DB instances should have encryption at-rest enabled", "AWS Config rule": "rds-storage-encrypted", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest", "AWS Config rule": "rds-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.5] RDS DB instances should be configured with multiple Availability Zones", "AWS Config rule": "rds-multi-az-support", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.6] Enhanced monitoring should be configured for RDS DB instances", "AWS Config rule": "rds-enhanced-monitoring-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.7] RDS clusters should have deletion protection enabled", "AWS Config rule": "rds-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.8] RDS DB instances should have deletion protection enabled", "AWS Config rule": "rds-instance-deletion-protection-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.9] RDS DB instances should publish logs to CloudWatch Logs", "AWS Config rule": "rds-logging-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.10] IAM authentication should be configured for RDS instances", "AWS Config rule": "rds-instance-iam-authentication-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.11] RDS instances should have automatic backups enabled", "AWS Config rule": "db-instance-backup-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.12] IAM authentication should be configured for RDS clusters", "AWS Config rule": "rds-cluster-iam-authentication-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.13] RDS automatic minor version upgrades should be enabled", "AWS Config rule": "rds-automatic-minor-version-upgrade-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.14] Amazon Aurora clusters should have backtracking enabled", "AWS Config rule": "aurora-mysql-backtracking-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.15] RDS DB clusters should be configured for multiple Availability Zones", "AWS Config rule": "rds-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.16] RDS DB clusters should be configured to copy tags to snapshots", "AWS Config rule": "rds-cluster-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.17] RDS DB instances should be configured to copy tags to snapshots", "AWS Config rule": "rds-instance-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.18] RDS instances should be deployed in a VPC", "AWS Config rule": "rds-deployed-in-vpc", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events", "AWS Config rule": "rds-cluster-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events", "AWS Config rule": "rds-instance-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events", "AWS Config rule": "rds-pg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.22] An RDS event notifications subscription should be configured for critical database security group events", "AWS Config rule": "rds-sg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.23] RDS instances should not use a database engine default port", "AWS Config rule": "rds-no-default-ports", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.24] RDS Database clusters should use a custom administrator username", "AWS Config rule": "rds-cluster-default-admin-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.25] RDS database instances should use a custom administrator username", "AWS Config rule": "rds-instance-default-admin-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.26] RDS DB instances should be protected by a backup plan", "AWS Config rule": "rds-resources-protected-by-backup-plan", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[RDS.27] RDS DB clusters should be encrypted at rest", "AWS Config rule": "rds-cluster-encrypted-at-rest", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "rds-aurora-mysql-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled", "AWS Config rule": "rds-cluster-auto-minor-version-upgrade-enable", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.1] Amazon Redshift clusters should prohibit public access", "AWS Config rule": "redshift-cluster-public-access-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit", "AWS Config rule": "redshift-require-tls-ssl", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled", "AWS Config rule": "redshift-backup-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.4] Amazon Redshift clusters should have audit logging enabled", "AWS Config rule": "redshift-cluster-audit-logging-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled", "AWS Config rule": "redshift-cluster-maintenancesettings-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.7] Redshift clusters should use enhanced VPC routing", "AWS Config rule": "redshift-enhanced-vpc-routing-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.8] Amazon Redshift clusters should not use the default Admin username", "AWS Config rule": "redshift-default-admin-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.9] Redshift clusters should not use the default database name", "AWS Config rule": "redshift-default-db-name-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.10] Redshift clusters should be encrypted at rest", "AWS Config rule": "redshift-cluster-kms-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Route53.2] Route 53 public hosted zones should log DNS queries", "AWS Config rule": "route53-query-logging-enabled", "Resource type": "AWS::Route53::HostedZone", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.1] S3 Block Public Access setting should be enabled", "AWS Config rule": "s3-account-level-public-access-blocks-periodic", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[S3.2] S3 buckets should prohibit public read access", "AWS Config rule": "s3-bucket-public-read-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.3] S3 buckets should prohibit public write access", "AWS Config rule": "s3-bucket-public-write-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.5] S3 buckets should require requests to use Secure Socket Layer", "AWS Config rule": "s3-bucket-ssl-requests-only", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "AWS Config rule": "s3-bucket-blacklisted-actions-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.7] S3 buckets should have cross-Region replication enabled", "AWS Config rule": "s3-bucket-replication-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "AWS Config rule": "s3-bucket-level-public-access-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.9] S3 bucket server access logging should be enabled", "AWS Config rule": "s3-bucket-logging-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured", "AWS Config rule": "s3-version-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.11] S3 buckets should have event notifications enabled", "AWS Config rule": "s3-event-notifications-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets", "AWS Config rule": "s3-bucket-acl-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.13] S3 buckets should have lifecycle policies configured", "AWS Config rule": "s3-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.14] S3 buckets should use versioning", "AWS Config rule": "s3-bucket-versioning-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.15] S3 buckets should be configured to use Object Lock", "AWS Config rule": "s3-bucket-default-lock-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys", "AWS Config rule": "s3-default-encryption-kms", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.19] S3 access points should have block public access settings enabled", "AWS Config rule": "s3-access-point-public-access-blocks", "Resource type": "AWS::S3::AccessPoint", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.20] S3 general purpose buckets should have MFA delete enabled", "AWS Config rule": "s3-bucket-mfa-delete-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "AWS Config rule": "sagemaker-notebook-no-direct-internet-access", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "AWS Config rule": "sagemaker-notebook-instance-inside-vpc", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "AWS Config rule": "sagemaker-notebook-instance-root-access-check", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled", "AWS Config rule": "secretsmanager-rotation-enabled-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully", "AWS Config rule": "secretsmanager-scheduled-rotation-success-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.3] Remove unused Secrets Manager secrets", "AWS Config rule": "secretsmanager-secret-unused", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days", "AWS Config rule": "secretsmanager-secret-periodic-rotation", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SNS.1] SNS topics should be encrypted at-rest using AWS KMS", "AWS Config rule": "sns-encrypted-kms", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic", "AWS Config rule": "sns-topic-message-delivery-notification-enabled", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SQS.1] Amazon SQS queues should be encrypted at rest", "AWS Config rule": "sqs-queue-encrypted", "Resource type": "AWS::SQS::Queue", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[StepFunctions.1] Step Functions state machines should have\n logging turned on", "AWS Config rule": "step-functions-state-machine-logging-enabled", "Resource type": "AWS::StepFunctions::StateMachine", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled", "AWS Config rule": "waf-classic-logging-enabled", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[WAF.2] AWS WAF Classic Regional rules should have at least one condition", "AWS Config rule": "waf-regional-rule-not-empty", "Resource type": "AWS::WAFRegional::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule", "AWS Config rule": "waf-regional-rulegroup-not-empty", "Resource type": "AWS::WAFRegional::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-regional-webacl-not-empty", "Resource type": "AWS::WAFRegional::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.6] AWS WAF Classic global rules should have at least one condition", "AWS Config rule": "waf-global-rule-not-empty", "Resource type": "AWS::WAF::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.7] AWS WAF Classic global rule groups should have at least one rule", "AWS Config rule": "waf-global-rulegroup-not-empty", "Resource type": "AWS::WAF::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-global-webacl-not-empty", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.10] AWS WAF web ACLs should have at least one rule or rule group", "AWS Config rule": "wafv2-webacl-not-empty", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.11] AWS WAF web ACL logging should be enabled", "AWS Config rule": "wafv2-logging-enabled", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[WAF.12] AWS WAF rules should have CloudWatch metrics enabled", "AWS Config rule": "wafv2-rulegroup-logging-enabled", "Resource type": "AWS::WAFv2::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" } ] Jq コマンドでフィルタリング(Severity = Critical or High)
from datetime import datetime import json import requests import os import sys import logging from bs4 import BeautifulSoup
LOG_LEVEL = logging.INFO URLS = [ “https://docs.aws.amazon.com/securityhub/latest/userguide/account-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/appsync-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/athena-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/emr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/pca-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/route53-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/stepfunctions-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html”] SEARCH_STRINGS = { “AWS Config rule”: “code”, “Resource type”: “code”, “Schedule type”: “text”, “Severity”: “text” } FIND_ELEMENT_NAME = “h2” FIND_NEXT_SIBLINGS = “p”
class TimeFormatter(logging.Formatter): converter = datetime.fromtimestamp
def formatTime(self, record, datefmt=None): dt = self.converter(record.created) if datefmt: s = dt.strftime(datefmt) else: t = dt.strftime(self.default_time_format) s = self.default_msec_format % (t, record.msecs) return s
def init_logger(): logger = logging.getLogger(name)
log_format_string = json.dumps({ 'logLevel': '%(levelname)s', 'time': '%(asctime)s', 'line': "%(filename)s: %(lineno)d", 'message': '%(message)s', }, indent=None) handler = logging.StreamHandler(sys.stdout) handler.setFormatter((TimeFormatter(log_format_string))) logger.addHandler(handler) logger.propagate = False logger.setLevel(LOG_LEVEL) return logger
def main(): logger = init_logger()
result = [] for url in URLS: response = requests.get(url) response.encoding = response.apparent_encoding soup = BeautifulSoup(response.text, 'html.parser') find_elements = soup.find_all(FIND_ELEMENT_NAME) for find_element in find_elements: next_siblings = find_element.find_next_siblings(FIND_NEXT_SIBLINGS) entry = {"find_element.text": find_element.text} logger.debug(f"find_element: {find_element}") for search_string, method in SEARCH_STRINGS.items(): for sibling in next_siblings: if search_string in sibling.text: if method == "text": value = sibling.b.next_sibling.strip() entry[search_string] = value logger.debug(f"search_string: {search_string}, value: {value}") break else: value_element = sibling.find(method, {'class': 'code'}) if value_element: entry[search_string] = value_element.text logger.debug(f"search_string: {search_string}, value: {value_element.text}") break if search_string not in entry: entry[search_string] = "Not Found" logger.debug(f"search_string: {search_string}, value: None") result.append(entry) if not os.path.exists('.output'): os.makedirs('.output') now = datetime.now().strftime('%Y%m%d%H%M%S') with open(f'.output/result_{now}.json', 'w', encoding='utf-8') as f: json.dump(result, f, ensure_ascii=False) logger.info(f"Successfully saved the result to .output/result_{now}.json")
if name == “main”: main()
## 取得された AWS Security Hub のコントロールのリファレンスのJSONファイル - 実際に取得された JSON ファイルの中身は以下のようになります。 - `Not Found` となっているものがいくつかありますが、`SEARCH_STRINGS` 変数で指定したキーワードが見つからなかった場合に `Not Found` となっています。 <details> <summary>AWS Security Hub のコントロールのリファレンスのJSON</summary> ```json [ { "find_element.text": "[Account.1] Security contact information should be provided for an AWS account", "AWS Config rule": "security-account-information-provided", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "AWS Config rule": "account-part-of-organizations", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period", "AWS Config rule": "acm-certificate-expiration-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered and periodic", "Severity": "Medium" }, { "find_element.text": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "AWS Config rule": "acm-certificate-rsa-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[APIGateway.1] API Gateway REST and WebSocket API execution logging\n should be enabled", "AWS Config rule": "api-gw-execution-logging-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.2] API Gateway REST API stages should be configured to use\n SSL certificates for backend authentication", "AWS Config rule": "api-gw-ssl-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.3] API Gateway REST API stages should have AWS X-Ray\n tracing enabled", "AWS Config rule": "api-gw-xray-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[APIGateway.4] API Gateway should be associated with a WAF Web\n ACL", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.5] API Gateway REST API cache data should be encrypted at\n rest", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.8] API Gateway routes should specify an authorization\n type", "AWS Config rule": "api-gwv2-authorization-type-configured", "Resource type": "AWS::ApiGatewayV2::Route", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[APIGateway.9] Access logging should be configured for API Gateway V2\n Stages", "AWS Config rule": "api-gwv2-access-logs-enabled", "Resource type": "AWS::ApiGatewayV2::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.2] AWS AppSync should have field-level logging enabled", "AWS Config rule": "appsync-logging-enabled", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "AWS Config rule": "appsync-authorization-check", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Athena.1] Athena workgroups should be encrypted at\n rest", "AWS Config rule": "athena-workgroup-encrypted-at-rest", "Resource type": "AWS::Athena::WorkGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Backup.1] AWS Backup recovery points should be encrypted at rest", "AWS Config rule": "backup-recovery-point-encrypted", "Resource type": "AWS::Backup::RecoveryPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)", "AWS Config rule": "cloudformation-stack-notification-check", "Resource type": "AWS::CloudFormation::Stack", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.1] CloudFront distributions should have a default root object configured", "AWS Config rule": "cloudfront-default-root-object-configured", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudFront.3] CloudFront distributions should require encryption in transit", "AWS Config rule": "cloudfront-viewer-policy-https", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.4] CloudFront distributions should have origin failover configured", "AWS Config rule": "cloudfront-origin-failover-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.5] CloudFront distributions should have logging enabled", "AWS Config rule": "cloudfront-accesslogs-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.6] CloudFront distributions should have WAF enabled", "AWS Config rule": "cloudfront-associated-with-waf", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates", "AWS Config rule": "cloudfront-custom-ssl-certificate", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests", "AWS Config rule": "cloudfront-sni-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins", "AWS Config rule": "cloudfront-traffic-to-origin-encrypted", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins", "AWS Config rule": "cloudfront-no-deprecated-ssl-protocols", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "AWS Config rule": "cloudfront-s3-origin-non-existent-bucket", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudFront.13] CloudFront distributions should use origin access control", "AWS Config rule": "cloudfront-s3-origin-access-control-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "AWS Config rule": "multi-region-cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.2] CloudTrail should have encryption at-rest enabled", "AWS Config rule": "cloud-trail-encryption-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.3] CloudTrail should be enabled", "AWS Config rule": "cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.4] CloudTrail log file validation should be enabled", "AWS Config rule": "cloud-trail-log-file-validation-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs", "AWS Config rule": "cloud-trail-cloud-watch-logs-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic and change\n triggered", "Severity": "Critical" }, { "find_element.text": "[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.1] A log metric filter and alarm should exist for usage of the \"root\" user", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudWatch.16] CloudWatch log groups should be retained for a specified time period", "AWS Config rule": "cw-loggroup-retention-period-check", "Resource type": "AWS::Logs::LogGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudWatch.17] CloudWatch alarm actions should be activated", "AWS Config rule": "cloudwatch-alarm-action-enabled-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials", "AWS Config rule": "codebuild-project-source-repo-url-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials", "AWS Config rule": "codebuild-project-envvar-awscred-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.3] CodeBuild S3 logs should be encrypted", "AWS Config rule": "codebuild-project-s3-logs-encrypted", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration", "AWS Config rule": "codebuild-project-logging-enabled", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "AWS Config rule": "codebuild-project-environment-privileged-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Config.1] AWS Config should be enabled", "AWS Config rule": "Not Found", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DMS.1] Database Migration Service replication instances should not be public", "AWS Config rule": "dms-replication-not-public", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[DMS.6] DMS replication instances should have automatic minor version upgrade enabled", "AWS Config rule": "dms-auto-minor-version-upgrade-enabled", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.7] DMS replication tasks for the target database should have logging enabled", "AWS Config rule": "dms-replication-task-targetdb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.8] DMS replication tasks for the source database should have logging enabled", "AWS Config rule": "dms-replication-task-sourcedb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.9] DMS endpoints should use SSL", "AWS Config rule": "dms-endpoint-ssl-configured", "Resource type": "AWS::DMS::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at\n rest", "AWS Config rule": "docdb-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period", "AWS Config rule": "docdb-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public", "AWS Config rule": "docdb-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "docdb-cluster-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled", "AWS Config rule": "docdb-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand", "AWS Config rule": "dynamodb-autoscaling-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled", "AWS Config rule": "dynamodb-pitr-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest", "AWS Config rule": "dax-encryption-enabled", "Resource type": "AWS::DynamoDB::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.4] DynamoDB tables should be present in a backup plan", "AWS Config rule": "dynamodb-resources-protected-by-backup-plan", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.6] DynamoDB tables should have deletion protection enabled", "AWS Config rule": "dynamodb-table-deletion-protection-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.1] ECR private repositories should have image scanning configured", "AWS Config rule": "ecr-private-image-scanning-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ECR.2] ECR private repositories should have tag immutability configured", "AWS Config rule": "ecr-private-tag-immutability-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.3] ECR repositories should have at least one lifecycle policy configured", "AWS Config rule": "ecr-private-lifecycle-policy-configured", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "AWS Config rule": "ecs-task-definition-user-for-host-mode-check", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.3] ECS task definitions should not share the host's process namespace", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.4] ECS containers should run as non-privileged", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.8] Secrets should not be passed as container environment variables", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.9] ECS task definitions should have a logging configuration", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.10] ECS Fargate services should run on the latest Fargate platform version", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.12] ECS clusters should use Container Insights", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.1] Amazon EBS snapshots should not be publicly restorable", "AWS Config rule": "ebs-snapshot-public-restorable-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "AWS Config rule": "vpc-default-security-group-closed", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest", "AWS Config rule": "encrypted-volumes", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.4] Stopped EC2 instances should be removed after a specified time period", "AWS Config rule": "ec2-stopped-instance", "Resource type": "AWS::EC2::Instance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.6] VPC flow logging should be enabled in all VPCs", "AWS Config rule": "vpc-flow-logs-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.7] EBS default encryption should be enabled", "AWS Config rule": "ec2-ebs-encryption-by-default", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "ec2-imdsv2-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "AWS Config rule": "ec2-instance-no-public-ip", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service", "AWS Config rule": "service-vpc-endpoint-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.12] Unused Amazon EC2 EIPs should be removed", "AWS Config rule": "eip-attached", "Resource type": "AWS::EC2::EIP", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "AWS Config rule": "restricted-ssh", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "AWS Config rule": "restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.15] Amazon EC2 subnets should not automatically assign\n public IP addresses", "AWS Config rule": "subnet-auto-assign-public-ip-disabled", "Resource type": "AWS::EC2::Subnet", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.16] Unused Network Access Control Lists should be\n removed", "AWS Config rule": "vpc-network-acl-unused-check", "Resource type": "AWS::EC2::NetworkAcl", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.17] Amazon EC2 instances should not use multiple\n ENIs", "AWS Config rule": "ec2-instance-multiple-eni-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "AWS Config rule": "vpc-sg-open-only-to-authorized-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.19] Security groups should not allow unrestricted\n access to ports with high risk", "AWS Config rule": "vpc-sg-restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN\n connection should be up", "AWS Config rule": "vpc-vpn-2-tunnels-up", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.21] Network ACLs should not allow ingress from\n 0.0.0.0/0 to port 22 or port 3389", "AWS Config rule": "nacl-no-unrestricted-ssh-rdp", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.22] Unused Amazon EC2 security groups should be\n removed", "AWS Config rule": "ec2-security-group-attached-to-eni-periodic", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "AWS Config rule": "ec2-transit-gateway-auto-vpc-attach-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.24] Amazon EC2 paravirtual instance types should not be\n used", "AWS Config rule": "ec2-paravirtual-instance-check", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "AWS Config rule": "ec2-launch-template-public-ip-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.28] EBS volumes should be covered by a backup\n plan", "AWS Config rule": "ebs-resources-protected-by-backup-plan", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled", "AWS Config rule": "ec2-client-vpn-connection-log-enabled", "Resource type": "AWS::EC2::ClientVpnEndpoint", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks", "AWS Config rule": "autoscaling-group-elb-healthcheck-required", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-az", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "autoscaling-launchconfig-requires-imdsv2", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "AWS Config rule": "autoscaling-launch-config-hop-limit", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "AWS Config rule": "autoscaling-launch-config-public-ip-disabled", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-instance-types", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates", "AWS Config rule": "autoscaling-launch-template", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager", "AWS Config rule": "ec2-instance-managed-by-systems-manager", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "AWS Config rule": "ec2-managedinstance-patch-compliance-status-check", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT", "AWS Config rule": "ec2-managedinstance-association-compliance-status-check", "Resource type": "AWS::SSM::AssociationCompliance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SSM.4] SSM documents should not be public", "AWS Config rule": "ssm-document-not-public", "Resource type": "AWS::SSM::Document", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS", "AWS Config rule": "efs-encrypted-check", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.2] Amazon EFS volumes should be in backup plans", "AWS Config rule": "efs-in-backup-plan", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.3] EFS access points should enforce a root directory", "AWS Config rule": "efs-access-point-enforce-root-directory", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EFS.4] EFS access points should enforce a user identity", "AWS Config rule": "efs-access-point-enforce-user-identity", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "AWS Config rule": "eks-endpoint-no-public-access", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "AWS Config rule": "eks-cluster-supported-version", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EKS.8] EKS clusters should have audit logging enabled", "AWS Config rule": "eks-cluster-logging-enabled", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "AWS Config rule": "elasticache-redis-cluster-automatic-backup-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "AWS Config rule": "elasticache-auto-minor-version-upgrade-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled", "AWS Config rule": "elasticache-repl-grp-auto-failover-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest", "AWS Config rule": "elasticache-repl-grp-encrypted-at-rest", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit", "AWS Config rule": "elasticache-repl-grp-encrypted-in-transit", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH", "AWS Config rule": "elasticache-repl-grp-redis-auth-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "AWS Config rule": "elasticache-subnet-group-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled", "AWS Config rule": "beanstalk-enhanced-health-reporting-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "AWS Config rule": "elastic-beanstalk-managed-updates-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "AWS Config rule": "elastic-beanstalk-logs-to-cloudwatch", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS", "AWS Config rule": "alb-http-to-https-redirection-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager", "AWS Config rule": "elb-acm-certificate-required", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination", "AWS Config rule": "elb-tls-https-listeners-only", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.4] Application Load Balancer should be configured to drop http headers", "AWS Config rule": "alb-http-drop-invalid-header-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.5] Application and Classic Load Balancers logging should be enabled", "AWS Config rule": "elb-logging-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.6] Application Load Balancer deletion protection should be enabled", "AWS Config rule": "elb-deletion-protection-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.7] Classic Load Balancers should have connection draining enabled", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled", "AWS Config rule": "elb-cross-zone-load-balancing-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.10] Classic Load Balancer should span multiple Availability Zones", "AWS Config rule": "clb-multiple-az", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "alb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones", "AWS Config rule": "elbv2-multiple-az", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "clb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL", "AWS Config rule": "alb-waf-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "AWS Config rule": "emr-master-no-public-ip", "Resource type": "AWS::EMR::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EMR.2] Amazon EMR block public access setting should be enabled", "AWS Config rule": "emr-block-public-access", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.1] Elasticsearch domains should have encryption at-rest enabled", "AWS Config rule": "elasticsearch-encrypted-at-rest", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ES.2] Elasticsearch domains should not be publicly accessible", "AWS Config rule": "elasticsearch-in-vpc-only", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.3] Elasticsearch domains should encrypt data sent between nodes", "AWS Config rule": "elasticsearch-node-to-node-encryption-check", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "elasticsearch-logs-to-cloudwatch", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.5] Elasticsearch domains should have audit logging enabled", "AWS Config rule": "elasticsearch-audit-logging-enabled", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.6] Elasticsearch domains should have at least three data nodes", "AWS Config rule": "elasticsearch-data-node-fault-tolerance", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached", "AWS Config rule": "custom-schema-registry-policy-attached", "Resource type": "AWS::Events::EventBus", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EventBridge.4] EventBridge global endpoints should have event replication enabled", "AWS Config rule": "global-endpoint-event-replication-enabled", "Resource type": "AWS::Events::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes", "AWS Config rule": "fsx-openzfs-copy-tags-enabled", "Resource type": "AWS::FSx::FileSystem", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[GuardDuty.1] GuardDuty should be enabled", "AWS Config rule": "guardduty-enabled-centralized", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "AWS Config rule": "iam-policy-no-statements-with-admin-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[IAM.2] IAM users should not have IAM policies attached", "AWS Config rule": "iam-user-no-policies-check", "Resource type": "AWS::IAM::User", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.3] IAM users' access keys should be rotated every 90 days or less", "AWS Config rule": "access-keys-rotated", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.4] IAM root user access key should not exist", "AWS Config rule": "iam-root-access-key-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.5] MFA should be enabled for all IAM users that have a console password", "AWS Config rule": "mfa-enabled-for-iam-console-access", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.6] Hardware MFA should be enabled for the root user", "AWS Config rule": "root-account-hardware-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.7] Password policies for IAM users should have strong configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.8] Unused IAM user credentials should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.9] MFA should be enabled for the root user", "AWS Config rule": "root-account-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.10] Password policies for IAM users should have strong AWS Configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.11] Ensure IAM password policy requires at least one uppercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.12] Ensure IAM password policy requires at least one lowercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.13] Ensure IAM password policy requires at least one symbol", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.14] Ensure IAM password policy requires at least one number", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.16] Ensure IAM password policy prevents password reuse", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.17] Ensure IAM password policy expires passwords within 90 days or less", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.18] Ensure a support role has been created to manage incidents with AWS Support", "AWS Config rule": "iam-policy-in-use", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.19] MFA should be enabled for all IAM users", "AWS Config rule": "iam-user-mfa-enabled", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.20] Avoid the use of the root user", "AWS Config rule": "use-of-root-account-test", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services", "AWS Config rule": "iam-policy-no-statements-with-full-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.22] IAM user credentials unused for 45 days should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Kinesis.1] Kinesis streams should be encrypted at rest", "AWS Config rule": "kinesis-stream-encrypted", "Resource type": "AWS::Kinesis::Stream", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys", "AWS Config rule": "iam-customer-policy-blocked-kms-actions", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys", "AWS Config rule": "iam-inline-policy-blocked-kms-actions", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.3] AWS KMS keys should not be deleted unintentionally", "AWS Config rule": "kms-cmk-not-scheduled-for-deletion-2", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[KMS.4] AWS KMS key rotation should be enabled", "AWS Config rule": "cmk-backing-key-rotation-enabled", "Resource type": "AWS::KMS::Key", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Lambda.1] Lambda function policies should prohibit public access", "AWS Config rule": "lambda-function-public-access-prohibited", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Lambda.2] Lambda functions should use supported runtimes", "AWS Config rule": "lambda-function-settings-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Lambda.3] Lambda functions should be in a VPC", "AWS Config rule": "lambda-inside-vpc", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones", "AWS Config rule": "lambda-vpc-multi-az-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Macie.1] Macie should be enabled", "AWS Config rule": "macie-status-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[MSK.1] MSK clusters should be encrypted in transit among broker nodes", "AWS Config rule": "msk-in-cluster-node-require-tls", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[MSK.2] MSK clusters should have enhanced monitoring configured", "AWS Config rule": "msk-enhanced-monitoring-enabled", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.5] ActiveMQ brokers should use active/standby deployment mode", "AWS Config rule": "mq-active-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.6] RabbitMQ brokers should use cluster deployment mode", "AWS Config rule": "mq-rabbit-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.1] Neptune DB clusters should be encrypted at\n rest", "AWS Config rule": "neptune-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.2] Neptune DB clusters should publish audit\n logs to CloudWatch Logs", "AWS Config rule": "neptune-cluster-cloudwatch-log-export-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.3] Neptune DB cluster snapshots should not be\n public", "AWS Config rule": "neptune-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Neptune.4] Neptune DB clusters should have deletion\n protection enabled", "AWS Config rule": "neptune-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.5] Neptune DB clusters should have automated\n backups enabled", "AWS Config rule": "neptune-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.6] Neptune DB cluster snapshots should be\n encrypted at rest", "AWS Config rule": "neptune-cluster-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.7] Neptune DB clusters should have IAM\n database authentication enabled", "AWS Config rule": "neptune-cluster-iam-database-authentication", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.8] Neptune DB clusters should be configured to\n copy tags to snapshots", "AWS Config rule": "neptune-cluster-copy-tags-to-snapshot-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones", "AWS Config rule": "neptune-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones", "AWS Config rule": "netfw-multi-az-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.2] Network Firewall logging should be enabled", "AWS Config rule": "netfw-logging-enabled", "Resource type": "AWS::NetworkFirewall::LoggingConfiguration", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated", "AWS Config rule": "netfw-policy-rule-group-associated", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets", "AWS Config rule": "netfw-policy-default-action-full-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets", "AWS Config rule": "netfw-policy-default-action-fragment-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty", "AWS Config rule": "netfw-stateless-rule-group-not-empty", "Resource type": "AWS::NetworkFirewall::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled", "AWS Config rule": "netfw-deletion-protection-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.1] OpenSearch domains should have encryption at rest enabled", "AWS Config rule": "opensearch-encrypted-at-rest", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.2] OpenSearch domains should not be publicly accessible", "AWS Config rule": "opensearch-in-vpc-only", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Opensearch.3] OpenSearch domains should encrypt data sent between nodes", "AWS Config rule": "opensearch-node-to-node-encryption-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "opensearch-logs-to-cloudwatch", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.5] OpenSearch domains should have audit logging enabled", "AWS Config rule": "opensearch-audit-logging-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.6] OpenSearch domains should have at least three data nodes", "AWS Config rule": "opensearch-data-node-fault-tolerance", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "AWS Config rule": "opensearch-access-control-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2", "AWS Config rule": "opensearch-https-required", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.10] OpenSearch domains should have the latest software update installed", "AWS Config rule": "opensearch-update-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[PCA.1] AWS Private CA root certificate authority should be disabled", "AWS Config rule": "acm-pca-root-ca-disabled", "Resource type": "AWS::ACMPCA::CertificateAuthority", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[RDS.1] RDS snapshot should be private", "AWS Config rule": "rds-snapshots-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration", "AWS Config rule": "rds-instance-public-access-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.3] RDS DB instances should have encryption at-rest enabled", "AWS Config rule": "rds-storage-encrypted", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest", "AWS Config rule": "rds-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.5] RDS DB instances should be configured with multiple Availability Zones", "AWS Config rule": "rds-multi-az-support", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.6] Enhanced monitoring should be configured for RDS DB instances", "AWS Config rule": "rds-enhanced-monitoring-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.7] RDS clusters should have deletion protection enabled", "AWS Config rule": "rds-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.8] RDS DB instances should have deletion protection enabled", "AWS Config rule": "rds-instance-deletion-protection-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.9] RDS DB instances should publish logs to CloudWatch Logs", "AWS Config rule": "rds-logging-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.10] IAM authentication should be configured for RDS instances", "AWS Config rule": "rds-instance-iam-authentication-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.11] RDS instances should have automatic backups enabled", "AWS Config rule": "db-instance-backup-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.12] IAM authentication should be configured for RDS clusters", "AWS Config rule": "rds-cluster-iam-authentication-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.13] RDS automatic minor version upgrades should be enabled", "AWS Config rule": "rds-automatic-minor-version-upgrade-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.14] Amazon Aurora clusters should have backtracking enabled", "AWS Config rule": "aurora-mysql-backtracking-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.15] RDS DB clusters should be configured for multiple Availability Zones", "AWS Config rule": "rds-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.16] RDS DB clusters should be configured to copy tags to snapshots", "AWS Config rule": "rds-cluster-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.17] RDS DB instances should be configured to copy tags to snapshots", "AWS Config rule": "rds-instance-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.18] RDS instances should be deployed in a VPC", "AWS Config rule": "rds-deployed-in-vpc", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events", "AWS Config rule": "rds-cluster-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events", "AWS Config rule": "rds-instance-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events", "AWS Config rule": "rds-pg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.22] An RDS event notifications subscription should be configured for critical database security group events", "AWS Config rule": "rds-sg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.23] RDS instances should not use a database engine default port", "AWS Config rule": "rds-no-default-ports", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.24] RDS Database clusters should use a custom administrator username", "AWS Config rule": "rds-cluster-default-admin-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.25] RDS database instances should use a custom administrator username", "AWS Config rule": "rds-instance-default-admin-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.26] RDS DB instances should be protected by a backup plan", "AWS Config rule": "rds-resources-protected-by-backup-plan", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[RDS.27] RDS DB clusters should be encrypted at rest", "AWS Config rule": "rds-cluster-encrypted-at-rest", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "rds-aurora-mysql-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled", "AWS Config rule": "rds-cluster-auto-minor-version-upgrade-enable", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.1] Amazon Redshift clusters should prohibit public access", "AWS Config rule": "redshift-cluster-public-access-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit", "AWS Config rule": "redshift-require-tls-ssl", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled", "AWS Config rule": "redshift-backup-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.4] Amazon Redshift clusters should have audit logging enabled", "AWS Config rule": "redshift-cluster-audit-logging-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled", "AWS Config rule": "redshift-cluster-maintenancesettings-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.7] Redshift clusters should use enhanced VPC routing", "AWS Config rule": "redshift-enhanced-vpc-routing-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.8] Amazon Redshift clusters should not use the default Admin username", "AWS Config rule": "redshift-default-admin-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.9] Redshift clusters should not use the default database name", "AWS Config rule": "redshift-default-db-name-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.10] Redshift clusters should be encrypted at rest", "AWS Config rule": "redshift-cluster-kms-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Route53.2] Route 53 public hosted zones should log DNS queries", "AWS Config rule": "route53-query-logging-enabled", "Resource type": "AWS::Route53::HostedZone", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.1] S3 Block Public Access setting should be enabled", "AWS Config rule": "s3-account-level-public-access-blocks-periodic", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[S3.2] S3 buckets should prohibit public read access", "AWS Config rule": "s3-bucket-public-read-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.3] S3 buckets should prohibit public write access", "AWS Config rule": "s3-bucket-public-write-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.5] S3 buckets should require requests to use Secure Socket Layer", "AWS Config rule": "s3-bucket-ssl-requests-only", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "AWS Config rule": "s3-bucket-blacklisted-actions-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.7] S3 buckets should have cross-Region replication enabled", "AWS Config rule": "s3-bucket-replication-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "AWS Config rule": "s3-bucket-level-public-access-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.9] S3 bucket server access logging should be enabled", "AWS Config rule": "s3-bucket-logging-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured", "AWS Config rule": "s3-version-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.11] S3 buckets should have event notifications enabled", "AWS Config rule": "s3-event-notifications-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets", "AWS Config rule": "s3-bucket-acl-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.13] S3 buckets should have lifecycle policies configured", "AWS Config rule": "s3-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.14] S3 buckets should use versioning", "AWS Config rule": "s3-bucket-versioning-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.15] S3 buckets should be configured to use Object Lock", "AWS Config rule": "s3-bucket-default-lock-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys", "AWS Config rule": "s3-default-encryption-kms", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.19] S3 access points should have block public access settings enabled", "AWS Config rule": "s3-access-point-public-access-blocks", "Resource type": "AWS::S3::AccessPoint", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.20] S3 general purpose buckets should have MFA delete enabled", "AWS Config rule": "s3-bucket-mfa-delete-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "AWS Config rule": "sagemaker-notebook-no-direct-internet-access", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "AWS Config rule": "sagemaker-notebook-instance-inside-vpc", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "AWS Config rule": "sagemaker-notebook-instance-root-access-check", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled", "AWS Config rule": "secretsmanager-rotation-enabled-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully", "AWS Config rule": "secretsmanager-scheduled-rotation-success-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.3] Remove unused Secrets Manager secrets", "AWS Config rule": "secretsmanager-secret-unused", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days", "AWS Config rule": "secretsmanager-secret-periodic-rotation", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SNS.1] SNS topics should be encrypted at-rest using AWS KMS", "AWS Config rule": "sns-encrypted-kms", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic", "AWS Config rule": "sns-topic-message-delivery-notification-enabled", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SQS.1] Amazon SQS queues should be encrypted at rest", "AWS Config rule": "sqs-queue-encrypted", "Resource type": "AWS::SQS::Queue", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[StepFunctions.1] Step Functions state machines should have\n logging turned on", "AWS Config rule": "step-functions-state-machine-logging-enabled", "Resource type": "AWS::StepFunctions::StateMachine", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled", "AWS Config rule": "waf-classic-logging-enabled", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[WAF.2] AWS WAF Classic Regional rules should have at least one condition", "AWS Config rule": "waf-regional-rule-not-empty", "Resource type": "AWS::WAFRegional::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule", "AWS Config rule": "waf-regional-rulegroup-not-empty", "Resource type": "AWS::WAFRegional::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-regional-webacl-not-empty", "Resource type": "AWS::WAFRegional::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.6] AWS WAF Classic global rules should have at least one condition", "AWS Config rule": "waf-global-rule-not-empty", "Resource type": "AWS::WAF::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.7] AWS WAF Classic global rule groups should have at least one rule", "AWS Config rule": "waf-global-rulegroup-not-empty", "Resource type": "AWS::WAF::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-global-webacl-not-empty", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.10] AWS WAF web ACLs should have at least one rule or rule group", "AWS Config rule": "wafv2-webacl-not-empty", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.11] AWS WAF web ACL logging should be enabled", "AWS Config rule": "wafv2-logging-enabled", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[WAF.12] AWS WAF rules should have CloudWatch metrics enabled", "AWS Config rule": "wafv2-rulegroup-logging-enabled", "Resource type": "AWS::WAFv2::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" } ]
取得した JSON ファイルを jq コマンドでフィルタリングして、それぞれの Severity に応じた AWS Config rule を抽出してみました。
まずは、Critical の AWS Config rule を抽出してみます。
Not Found
なし (カスタム Security Hub ルール)
% cat result_20240204153052.json| jq ‘.[] | select(.Severity == “Critical”) | {title: .”find_element.text” ,config_rule: .”AWS Config rule”}’ { “title”: “[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible”, “config_rule”: “Not Found” } { “title”: “[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials”, “config_rule”: “codebuild-project-source-repo-url-check” } { “title”: “[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials”, “config_rule”: “codebuild-project-envvar-awscred-check” } { “title”: “[DMS.1] Database Migration Service replication instances should not be public”, “config_rule”: “dms-replication-not-public” } { “title”: “[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public”, “config_rule”: “docdb-cluster-snapshot-public-prohibited” } { “title”: “[EC2.1] Amazon EBS snapshots should not be publicly restorable”, “config_rule”: “ebs-snapshot-public-restorable-check” } { “title”: “[EC2.19] Security groups should not allow unrestrictedaccess to ports with high risk”, “config_rule”: “vpc-sg-restricted-common-ports” } { “title”: “[SSM.4] SSM documents should not be public”, “config_rule”: “ssm-document-not-public” } { “title”: “[EMR.2] Amazon EMR block public access setting should be enabled”, “config_rule”: “emr-block-public-access” } { “title”: “[ES.2] Elasticsearch domains should not be publicly accessible”, “config_rule”: “elasticsearch-in-vpc-only” } { “title”: “[IAM.4] IAM root user access key should not exist”, “config_rule”: “iam-root-access-key-check” } { “title”: “[IAM.6] Hardware MFA should be enabled for the root user”, “config_rule”: “root-account-hardware-mfa-enabled” } { “title”: “[IAM.9] MFA should be enabled for the root user”, “config_rule”: “root-account-mfa-enabled” } { “title”: “[KMS.3] AWS KMS keys should not be deleted unintentionally”, “config_rule”: “kms-cmk-not-scheduled-for-deletion-2” } { “title”: “[Lambda.1] Lambda function policies should prohibit public access”, “config_rule”: “lambda-function-public-access-prohibited” } { “title”: “[Neptune.3] Neptune DB cluster snapshots should not bepublic”, “config_rule”: “neptune-cluster-snapshot-public-prohibited” } { “title”: “[Opensearch.2] OpenSearch domains should not be publicly accessible”, “config_rule”: “opensearch-in-vpc-only” } { “title”: “[RDS.1] RDS snapshot should be private”, “config_rule”: “rds-snapshots-public-prohibited” } { “title”: “[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration”, “config_rule”: “rds-instance-public-access-check” } { “title”: “[Redshift.1] Amazon Redshift clusters should prohibit public access”, “config_rule”: “redshift-cluster-public-access-check” } { “title”: “[S3.2] S3 buckets should prohibit public read access”, “config_rule”: “s3-bucket-public-read-prohibited” } { “title”: “[S3.3] S3 buckets should prohibit public write access”, “config_rule”: “s3-bucket-public-write-prohibited” } { “title”: “[S3.19] S3 access points should have block public access settings enabled”, “config_rule”: “s3-access-point-public-access-blocks” } - 次に、High の AWS Config rule を抽出してみます。 - Critical よりも低いが、セキュリティ上のリスクが高いと判断される AWS Config rule が抽出されました。 - `Not Found` となっているものは、ドキュメント上で `AWS Config rule` ではなく `AWS Configrule` となっているため、抽出できていません。 <pre class="line-numbers" data-line="52,56,60,64,68,72"><code class="language-bash"> % cat result_20240204153052.json| jq '.[] | select(.Severity == "High") | {title: ."find_element.text" ,config_rule: ."AWS Config rule"}' { "title": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "config_rule": "account-part-of-organizations" } { "title": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "config_rule": "acm-certificate-rsa-check" } { "title": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "config_rule": "appsync-authorization-check" } { "title": "[CloudFront.1] CloudFront distributions should have a default root object configured", "config_rule": "cloudfront-default-root-object-configured" } { "title": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "config_rule": "cloudfront-s3-origin-non-existent-bucket" } { "title": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "config_rule": "multi-region-cloudtrail-enabled" } { "title": "[CloudTrail.3] CloudTrail should be enabled", "config_rule": "cloudtrail-enabled" } { "title": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "config_rule": "cloudwatch-alarm-action-check" } { "title": "[CloudWatch.17] CloudWatch alarm actions should be activated", "config_rule": "cloudwatch-alarm-action-enabled-check" } { "title": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "config_rule": "codebuild-project-environment-privileged-check" } { "title": "[ECR.1] ECR private repositories should have image scanning configured", "config_rule": "ecr-private-image-scanning-enabled" } { "title": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "config_rule": "ecs-task-definition-user-for-host-mode-check" } { "title": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "config_rule": "Not Found" } { "title": "[ECS.3] ECS task definitions should not share the host's process namespace", "config_rule": "Not Found" } { "title": "[ECS.4] ECS containers should run as non-privileged", "config_rule": "Not Found" } { "title": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "config_rule": "Not Found" } { "title": "[ECS.8] Secrets should not be passed as container environment variables", "config_rule": "Not Found" } { "title": "[ECS.9] ECS task definitions should have a logging configuration", "config_rule": "Not Found" } { "title": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "config_rule": "vpc-default-security-group-closed" } { "title": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "ec2-imdsv2-check" } { "title": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "config_rule": "ec2-instance-no-public-ip" } { "title": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "config_rule": "restricted-ssh" } { "title": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "config_rule": "restricted-common-ports" } { "title": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "config_rule": "vpc-sg-open-only-to-authorized-ports" } { "title": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "config_rule": "ec2-transit-gateway-auto-vpc-attach-disabled" } { "title": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "config_rule": "ec2-launch-template-public-ip-disabled" } { "title": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "autoscaling-launchconfig-requires-imdsv2" } { "title": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "config_rule": "autoscaling-launch-config-hop-limit" } { "title": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "config_rule": "autoscaling-launch-config-public-ip-disabled" } { "title": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "config_rule": "ec2-managedinstance-patch-compliance-status-check" } { "title": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "config_rule": "eks-endpoint-no-public-access" } { "title": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "config_rule": "eks-cluster-supported-version" } { "title": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "config_rule": "elasticache-redis-cluster-automatic-backup-check" } { "title": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "config_rule": "elasticache-auto-minor-version-upgrade-check" } { "title": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "config_rule": "elasticache-subnet-group-check" } { "title": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "config_rule": "elastic-beanstalk-managed-updates-enabled" } { "title": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "config_rule": "elastic-beanstalk-logs-to-cloudwatch" } { "title": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "config_rule": "emr-master-no-public-ip" } { "title": "[GuardDuty.1] GuardDuty should be enabled", "config_rule": "guardduty-enabled-centralized" } { "title": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "config_rule": "iam-policy-no-statements-with-admin-access" } { "title": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "config_rule": "opensearch-access-control-enabled" } { "title": "[RDS.13] RDS automatic minor version upgrades should be enabled", "config_rule": "rds-automatic-minor-version-upgrade-enabled" } { "title": "[RDS.18] RDS instances should be deployed in a VPC", "config_rule": "rds-deployed-in-vpc" } { "title": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "config_rule": "s3-bucket-blacklisted-actions-prohibited" } { "title": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "config_rule": "s3-bucket-level-public-access-prohibited" } { "title": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "config_rule": "sagemaker-notebook-no-direct-internet-access" } { "title": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "config_rule": "sagemaker-notebook-instance-inside-vpc" } { "title": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "config_rule": "sagemaker-notebook-instance-root-access-check" }
% cat result_20240204153052.json| jq ‘.[] | select(.Severity == “Critical”) | {title: .”find_element.text” ,config_rule: .”AWS Config rule”}’ { “title”: “[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible”, “config_rule”: “Not Found” } { “title”: “[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials”, “config_rule”: “codebuild-project-source-repo-url-check” } { “title”: “[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials”, “config_rule”: “codebuild-project-envvar-awscred-check” } { “title”: “[DMS.1] Database Migration Service replication instances should not be public”, “config_rule”: “dms-replication-not-public” } { “title”: “[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public”, “config_rule”: “docdb-cluster-snapshot-public-prohibited” } { “title”: “[EC2.1] Amazon EBS snapshots should not be publicly restorable”, “config_rule”: “ebs-snapshot-public-restorable-check” } { “title”: “[EC2.19] Security groups should not allow unrestrictedaccess to ports with high risk”, “config_rule”: “vpc-sg-restricted-common-ports” } { “title”: “[SSM.4] SSM documents should not be public”, “config_rule”: “ssm-document-not-public” } { “title”: “[EMR.2] Amazon EMR block public access setting should be enabled”, “config_rule”: “emr-block-public-access” } { “title”: “[ES.2] Elasticsearch domains should not be publicly accessible”, “config_rule”: “elasticsearch-in-vpc-only” } { “title”: “[IAM.4] IAM root user access key should not exist”, “config_rule”: “iam-root-access-key-check” } { “title”: “[IAM.6] Hardware MFA should be enabled for the root user”, “config_rule”: “root-account-hardware-mfa-enabled” } { “title”: “[IAM.9] MFA should be enabled for the root user”, “config_rule”: “root-account-mfa-enabled” } { “title”: “[KMS.3] AWS KMS keys should not be deleted unintentionally”, “config_rule”: “kms-cmk-not-scheduled-for-deletion-2” } { “title”: “[Lambda.1] Lambda function policies should prohibit public access”, “config_rule”: “lambda-function-public-access-prohibited” } { “title”: “[Neptune.3] Neptune DB cluster snapshots should not bepublic”, “config_rule”: “neptune-cluster-snapshot-public-prohibited” } { “title”: “[Opensearch.2] OpenSearch domains should not be publicly accessible”, “config_rule”: “opensearch-in-vpc-only” } { “title”: “[RDS.1] RDS snapshot should be private”, “config_rule”: “rds-snapshots-public-prohibited” } { “title”: “[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration”, “config_rule”: “rds-instance-public-access-check” } { “title”: “[Redshift.1] Amazon Redshift clusters should prohibit public access”, “config_rule”: “redshift-cluster-public-access-check” } { “title”: “[S3.2] S3 buckets should prohibit public read access”, “config_rule”: “s3-bucket-public-read-prohibited” } { “title”: “[S3.3] S3 buckets should prohibit public write access”, “config_rule”: “s3-bucket-public-write-prohibited” } { “title”: “[S3.19] S3 access points should have block public access settings enabled”, “config_rule”: “s3-access-point-public-access-blocks” }
- 次に、High の AWS Config rule を抽出してみます。 - Critical よりも低いが、セキュリティ上のリスクが高いと判断される AWS Config rule が抽出されました。 - `Not Found` となっているものは、ドキュメント上で `AWS Config rule` ではなく `AWS Configrule` となっているため、抽出できていません。 <pre class="line-numbers" data-line="52,56,60,64,68,72"><code class="language-bash"> % cat result_20240204153052.json| jq '.[] | select(.Severity == "High") | {title: ."find_element.text" ,config_rule: ."AWS Config rule"}' { "title": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "config_rule": "account-part-of-organizations" } { "title": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "config_rule": "acm-certificate-rsa-check" } { "title": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "config_rule": "appsync-authorization-check" } { "title": "[CloudFront.1] CloudFront distributions should have a default root object configured", "config_rule": "cloudfront-default-root-object-configured" } { "title": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "config_rule": "cloudfront-s3-origin-non-existent-bucket" } { "title": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "config_rule": "multi-region-cloudtrail-enabled" } { "title": "[CloudTrail.3] CloudTrail should be enabled", "config_rule": "cloudtrail-enabled" } { "title": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "config_rule": "cloudwatch-alarm-action-check" } { "title": "[CloudWatch.17] CloudWatch alarm actions should be activated", "config_rule": "cloudwatch-alarm-action-enabled-check" } { "title": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "config_rule": "codebuild-project-environment-privileged-check" } { "title": "[ECR.1] ECR private repositories should have image scanning configured", "config_rule": "ecr-private-image-scanning-enabled" } { "title": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "config_rule": "ecs-task-definition-user-for-host-mode-check" } { "title": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "config_rule": "Not Found" } { "title": "[ECS.3] ECS task definitions should not share the host's process namespace", "config_rule": "Not Found" } { "title": "[ECS.4] ECS containers should run as non-privileged", "config_rule": "Not Found" } { "title": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "config_rule": "Not Found" } { "title": "[ECS.8] Secrets should not be passed as container environment variables", "config_rule": "Not Found" } { "title": "[ECS.9] ECS task definitions should have a logging configuration", "config_rule": "Not Found" } { "title": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "config_rule": "vpc-default-security-group-closed" } { "title": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "ec2-imdsv2-check" } { "title": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "config_rule": "ec2-instance-no-public-ip" } { "title": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "config_rule": "restricted-ssh" } { "title": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "config_rule": "restricted-common-ports" } { "title": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "config_rule": "vpc-sg-open-only-to-authorized-ports" } { "title": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "config_rule": "ec2-transit-gateway-auto-vpc-attach-disabled" } { "title": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "config_rule": "ec2-launch-template-public-ip-disabled" } { "title": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "autoscaling-launchconfig-requires-imdsv2" } { "title": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "config_rule": "autoscaling-launch-config-hop-limit" } { "title": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "config_rule": "autoscaling-launch-config-public-ip-disabled" } { "title": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "config_rule": "ec2-managedinstance-patch-compliance-status-check" } { "title": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "config_rule": "eks-endpoint-no-public-access" } { "title": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "config_rule": "eks-cluster-supported-version" } { "title": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "config_rule": "elasticache-redis-cluster-automatic-backup-check" } { "title": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "config_rule": "elasticache-auto-minor-version-upgrade-check" } { "title": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "config_rule": "elasticache-subnet-group-check" } { "title": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "config_rule": "elastic-beanstalk-managed-updates-enabled" } { "title": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "config_rule": "elastic-beanstalk-logs-to-cloudwatch" } { "title": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "config_rule": "emr-master-no-public-ip" } { "title": "[GuardDuty.1] GuardDuty should be enabled", "config_rule": "guardduty-enabled-centralized" } { "title": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "config_rule": "iam-policy-no-statements-with-admin-access" } { "title": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "config_rule": "opensearch-access-control-enabled" } { "title": "[RDS.13] RDS automatic minor version upgrades should be enabled", "config_rule": "rds-automatic-minor-version-upgrade-enabled" } { "title": "[RDS.18] RDS instances should be deployed in a VPC", "config_rule": "rds-deployed-in-vpc" } { "title": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "config_rule": "s3-bucket-blacklisted-actions-prohibited" } { "title": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "config_rule": "s3-bucket-level-public-access-prohibited" } { "title": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "config_rule": "sagemaker-notebook-no-direct-internet-access" } { "title": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "config_rule": "sagemaker-notebook-instance-inside-vpc" } { "title": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "config_rule": "sagemaker-notebook-instance-root-access-check" }