Kanji
・ Cloud engineer / freelance ・ Born in 1993 ・ Born in Ehime Prefecture / Lives in Shibuya-ku, Tokyo ・ AWS history 5 years Profile details
Table of Contents
URLS
SEARCH_STRINGS
FIND_ELEMENT_NAME
FIND_NEXT_SIBLINGS
.output
from datetime import datetime import json import requests import os import sys import logging from bs4 import BeautifulSoup LOG_LEVEL = logging.INFO URLS = [ “https://docs.aws.amazon.com/securityhub/latest/userguide/account-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/appsync-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/athena-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/emr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/pca-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/route53-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/stepfunctions-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html”] SEARCH_STRINGS = { “AWS Config rule”: “code”, “Resource type”: “code”, “Schedule type”: “text”, “Severity”: “text” } FIND_ELEMENT_NAME = “h2” FIND_NEXT_SIBLINGS = “p” class TimeFormatter(logging.Formatter): converter = datetime.fromtimestamp def formatTime(self, record, datefmt=None): dt = self.converter(record.created) if datefmt: s = dt.strftime(datefmt) else: t = dt.strftime(self.default_time_format) s = self.default_msec_format % (t, record.msecs) return s def init_logger(): logger = logging.getLogger(name) log_format_string = json.dumps({ 'logLevel': '%(levelname)s', 'time': '%(asctime)s', 'line': "%(filename)s: %(lineno)d", 'message': '%(message)s', }, indent=None) handler = logging.StreamHandler(sys.stdout) handler.setFormatter((TimeFormatter(log_format_string))) logger.addHandler(handler) logger.propagate = False logger.setLevel(LOG_LEVEL) return logger def main(): logger = init_logger() result = [] for url in URLS: response = requests.get(url) response.encoding = response.apparent_encoding soup = BeautifulSoup(response.text, 'html.parser') find_elements = soup.find_all(FIND_ELEMENT_NAME) for find_element in find_elements: next_siblings = find_element.find_next_siblings(FIND_NEXT_SIBLINGS) entry = {"find_element.text": find_element.text} logger.debug(f"find_element: {find_element}") for search_string, method in SEARCH_STRINGS.items(): for sibling in next_siblings: if search_string in sibling.text: if method == "text": value = sibling.b.next_sibling.strip() entry[search_string] = value logger.debug(f"search_string: {search_string}, value: {value}") break else: value_element = sibling.find(method, {'class': 'code'}) if value_element: entry[search_string] = value_element.text logger.debug(f"search_string: {search_string}, value: {value_element.text}") break if search_string not in entry: entry[search_string] = "Not Found" logger.debug(f"search_string: {search_string}, value: None") result.append(entry) if not os.path.exists('.output'): os.makedirs('.output') now = datetime.now().strftime('%Y%m%d%H%M%S') with open(f'.output/result_{now}.json', 'w', encoding='utf-8') as f: json.dump(result, f, ensure_ascii=False) logger.info(f"Successfully saved the result to .output/result_{now}.json") if name == “main”: main() ## JSON File of Retrieved AWS Security Hub Control References - The actual contents of the retrieved JSON file are as follows. - Some items are marked as `Not Found`, which means that the keywords specified in the `SEARCH_STRINGS` variable were not found. <details> <summary>JSON of AWS Security Hub Control References</summary> ```json [ { "find_element.text": "[Account.1] Security contact information should be provided for an AWS account", "AWS Config rule": "security-account-information-provided", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "AWS Config rule": "account-part-of-organizations", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period", "AWS Config rule": "acm-certificate-expiration-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered and periodic", "Severity": "Medium" }, { "find_element.text": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "AWS Config rule": "acm-certificate-rsa-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[APIGateway.1] API Gateway REST and WebSocket API execution logging\n should be enabled", "AWS Config rule": "api-gw-execution-logging-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.2] API Gateway REST API stages should be configured to use\n SSL certificates for backend authentication", "AWS Config rule": "api-gw-ssl-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.3] API Gateway REST API stages should have AWS X-Ray\n tracing enabled", "AWS Config rule": "api-gw-xray-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[APIGateway.4] API Gateway should be associated with a WAF Web\n ACL", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.5] API Gateway REST API cache data should be encrypted at\n rest", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.8] API Gateway routes should specify an authorization\n type", "AWS Config rule": "api-gwv2-authorization-type-configured", "Resource type": "AWS::ApiGatewayV2::Route", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[APIGateway.9] Access logging should be configured for API Gateway V2\n Stages", "AWS Config rule": "api-gwv2-access-logs-enabled", "Resource type": "AWS::ApiGatewayV2::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.2] AWS AppSync should have field-level logging enabled", "AWS Config rule": "appsync-logging-enabled", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "AWS Config rule": "appsync-authorization-check", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Athena.1] Athena workgroups should be encrypted at\n rest", "AWS Config rule": "athena-workgroup-encrypted-at-rest", "Resource type": "AWS::Athena::WorkGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Backup.1] AWS Backup recovery points should be encrypted at rest", "AWS Config rule": "backup-recovery-point-encrypted", "Resource type": "AWS::Backup::RecoveryPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)", "AWS Config rule": "cloudformation-stack-notification-check", "Resource type": "AWS::CloudFormation::Stack", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.1] CloudFront distributions should have a default root object configured", "AWS Config rule": "cloudfront-default-root-object-configured", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudFront.3] CloudFront distributions should require encryption in transit", "AWS Config rule": "cloudfront-viewer-policy-https", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.4] CloudFront distributions should have origin failover configured", "AWS Config rule": "cloudfront-origin-failover-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.5] CloudFront distributions should have logging enabled", "AWS Config rule": "cloudfront-accesslogs-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.6] CloudFront distributions should have WAF enabled", "AWS Config rule": "cloudfront-associated-with-waf", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates", "AWS Config rule": "cloudfront-custom-ssl-certificate", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests", "AWS Config rule": "cloudfront-sni-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins", "AWS Config rule": "cloudfront-traffic-to-origin-encrypted", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins", "AWS Config rule": "cloudfront-no-deprecated-ssl-protocols", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "AWS Config rule": "cloudfront-s3-origin-non-existent-bucket", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudFront.13] CloudFront distributions should use origin access control", "AWS Config rule": "cloudfront-s3-origin-access-control-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "AWS Config rule": "multi-region-cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.2] CloudTrail should have encryption at-rest enabled", "AWS Config rule": "cloud-trail-encryption-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.3] CloudTrail should be enabled", "AWS Config rule": "cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.4] CloudTrail log file validation should be enabled", "AWS Config rule": "cloud-trail-log-file-validation-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs", "AWS Config rule": "cloud-trail-cloud-watch-logs-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic and change\n triggered", "Severity": "Critical" }, { "find_element.text": "[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.1] A log metric filter and alarm should exist for usage of the \"root\" user", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudWatch.16] CloudWatch log groups should be retained for a specified time period", "AWS Config rule": "cw-loggroup-retention-period-check", "Resource type": "AWS::Logs::LogGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudWatch.17] CloudWatch alarm actions should be activated", "AWS Config rule": "cloudwatch-alarm-action-enabled-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials", "AWS Config rule": "codebuild-project-source-repo-url-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials", "AWS Config rule": "codebuild-project-envvar-awscred-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.3] CodeBuild S3 logs should be encrypted", "AWS Config rule": "codebuild-project-s3-logs-encrypted", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration", "AWS Config rule": "codebuild-project-logging-enabled", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "AWS Config rule": "codebuild-project-environment-privileged-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Config.1] AWS Config should be enabled", "AWS Config rule": "Not Found", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DMS.1] Database Migration Service replication instances should not be public", "AWS Config rule": "dms-replication-not-public", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[DMS.6] DMS replication instances should have automatic minor version upgrade enabled", "AWS Config rule": "dms-auto-minor-version-upgrade-enabled", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.7] DMS replication tasks for the target database should have logging enabled", "AWS Config rule": "dms-replication-task-targetdb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.8] DMS replication tasks for the source database should have logging enabled", "AWS Config rule": "dms-replication-task-sourcedb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.9] DMS endpoints should use SSL", "AWS Config rule": "dms-endpoint-ssl-configured", "Resource type": "AWS::DMS::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at\n rest", "AWS Config rule": "docdb-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period", "AWS Config rule": "docdb-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public", "AWS Config rule": "docdb-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "docdb-cluster-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled", "AWS Config rule": "docdb-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand", "AWS Config rule": "dynamodb-autoscaling-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled", "AWS Config rule": "dynamodb-pitr-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest", "AWS Config rule": "dax-encryption-enabled", "Resource type": "AWS::DynamoDB::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.4] DynamoDB tables should be present in a backup plan", "AWS Config rule": "dynamodb-resources-protected-by-backup-plan", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.6] DynamoDB tables should have deletion protection enabled", "AWS Config rule": "dynamodb-table-deletion-protection-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.1] ECR private repositories should have image scanning configured", "AWS Config rule": "ecr-private-image-scanning-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ECR.2] ECR private repositories should have tag immutability configured", "AWS Config rule": "ecr-private-tag-immutability-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.3] ECR repositories should have at least one lifecycle policy configured", "AWS Config rule": "ecr-private-lifecycle-policy-configured", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "AWS Config rule": "ecs-task-definition-user-for-host-mode-check", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.3] ECS task definitions should not share the host's process namespace", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.4] ECS containers should run as non-privileged", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.8] Secrets should not be passed as container environment variables", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.9] ECS task definitions should have a logging configuration", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.10] ECS Fargate services should run on the latest Fargate platform version", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.12] ECS clusters should use Container Insights", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.1] Amazon EBS snapshots should not be publicly restorable", "AWS Config rule": "ebs-snapshot-public-restorable-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "AWS Config rule": "vpc-default-security-group-closed", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest", "AWS Config rule": "encrypted-volumes", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.4] Stopped EC2 instances should be removed after a specified time period", "AWS Config rule": "ec2-stopped-instance", "Resource type": "AWS::EC2::Instance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.6] VPC flow logging should be enabled in all VPCs", "AWS Config rule": "vpc-flow-logs-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.7] EBS default encryption should be enabled", "AWS Config rule": "ec2-ebs-encryption-by-default", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "ec2-imdsv2-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "AWS Config rule": "ec2-instance-no-public-ip", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service", "AWS Config rule": "service-vpc-endpoint-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.12] Unused Amazon EC2 EIPs should be removed", "AWS Config rule": "eip-attached", "Resource type": "AWS::EC2::EIP", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "AWS Config rule": "restricted-ssh", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "AWS Config rule": "restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.15] Amazon EC2 subnets should not automatically assign\n public IP addresses", "AWS Config rule": "subnet-auto-assign-public-ip-disabled", "Resource type": "AWS::EC2::Subnet", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.16] Unused Network Access Control Lists should be\n removed", "AWS Config rule": "vpc-network-acl-unused-check", "Resource type": "AWS::EC2::NetworkAcl", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.17] Amazon EC2 instances should not use multiple\n ENIs", "AWS Config rule": "ec2-instance-multiple-eni-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "AWS Config rule": "vpc-sg-open-only-to-authorized-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.19] Security groups should not allow unrestricted\n access to ports with high risk", "AWS Config rule": "vpc-sg-restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN\n connection should be up", "AWS Config rule": "vpc-vpn-2-tunnels-up", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.21] Network ACLs should not allow ingress from\n 0.0.0.0/0 to port 22 or port 3389", "AWS Config rule": "nacl-no-unrestricted-ssh-rdp", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.22] Unused Amazon EC2 security groups should be\n removed", "AWS Config rule": "ec2-security-group-attached-to-eni-periodic", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "AWS Config rule": "ec2-transit-gateway-auto-vpc-attach-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.24] Amazon EC2 paravirtual instance types should not be\n used", "AWS Config rule": "ec2-paravirtual-instance-check", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "AWS Config rule": "ec2-launch-template-public-ip-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.28] EBS volumes should be covered by a backup\n plan", "AWS Config rule": "ebs-resources-protected-by-backup-plan", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled", "AWS Config rule": "ec2-client-vpn-connection-log-enabled", "Resource type": "AWS::EC2::ClientVpnEndpoint", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks", "AWS Config rule": "autoscaling-group-elb-healthcheck-required", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-az", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "autoscaling-launchconfig-requires-imdsv2", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "AWS Config rule": "autoscaling-launch-config-hop-limit", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "AWS Config rule": "autoscaling-launch-config-public-ip-disabled", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-instance-types", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates", "AWS Config rule": "autoscaling-launch-template", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager", "AWS Config rule": "ec2-instance-managed-by-systems-manager", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "AWS Config rule": "ec2-managedinstance-patch-compliance-status-check", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT", "AWS Config rule": "ec2-managedinstance-association-compliance-status-check", "Resource type": "AWS::SSM::AssociationCompliance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SSM.4] SSM documents should not be public", "AWS Config rule": "ssm-document-not-public", "Resource type": "AWS::SSM::Document", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS", "AWS Config rule": "efs-encrypted-check", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.2] Amazon EFS volumes should be in backup plans", "AWS Config rule": "efs-in-backup-plan", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.3] EFS access points should enforce a root directory", "AWS Config rule": "efs-access-point-enforce-root-directory", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EFS.4] EFS access points should enforce a user identity", "AWS Config rule": "efs-access-point-enforce-user-identity", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "AWS Config rule": "eks-endpoint-no-public-access", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "AWS Config rule": "eks-cluster-supported-version", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EKS.8] EKS clusters should have audit logging enabled", "AWS Config rule": "eks-cluster-logging-enabled", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "AWS Config rule": "elasticache-redis-cluster-automatic-backup-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "AWS Config rule": "elasticache-auto-minor-version-upgrade-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled", "AWS Config rule": "elasticache-repl-grp-auto-failover-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest", "AWS Config rule": "elasticache-repl-grp-encrypted-at-rest", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit", "AWS Config rule": "elasticache-repl-grp-encrypted-in-transit", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH", "AWS Config rule": "elasticache-repl-grp-redis-auth-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "AWS Config rule": "elasticache-subnet-group-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled", "AWS Config rule": "beanstalk-enhanced-health-reporting-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "AWS Config rule": "elastic-beanstalk-managed-updates-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "AWS Config rule": "elastic-beanstalk-logs-to-cloudwatch", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS", "AWS Config rule": "alb-http-to-https-redirection-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager", "AWS Config rule": "elb-acm-certificate-required", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination", "AWS Config rule": "elb-tls-https-listeners-only", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.4] Application Load Balancer should be configured to drop http headers", "AWS Config rule": "alb-http-drop-invalid-header-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.5] Application and Classic Load Balancers logging should be enabled", "AWS Config rule": "elb-logging-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.6] Application Load Balancer deletion protection should be enabled", "AWS Config rule": "elb-deletion-protection-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.7] Classic Load Balancers should have connection draining enabled", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled", "AWS Config rule": "elb-cross-zone-load-balancing-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.10] Classic Load Balancer should span multiple Availability Zones", "AWS Config rule": "clb-multiple-az", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "alb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones", "AWS Config rule": "elbv2-multiple-az", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "clb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL", "AWS Config rule": "alb-waf-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "AWS Config rule": "emr-master-no-public-ip", "Resource type": "AWS::EMR::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EMR.2] Amazon EMR block public access setting should be enabled", "AWS Config rule": "emr-block-public-access", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.1] Elasticsearch domains should have encryption at-rest enabled", "AWS Config rule": "elasticsearch-encrypted-at-rest", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ES.2] Elasticsearch domains should not be publicly accessible", "AWS Config rule": "elasticsearch-in-vpc-only", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.3] Elasticsearch domains should encrypt data sent between nodes", "AWS Config rule": "elasticsearch-node-to-node-encryption-check", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "elasticsearch-logs-to-cloudwatch", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.5] Elasticsearch domains should have audit logging enabled", "AWS Config rule": "elasticsearch-audit-logging-enabled", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.6] Elasticsearch domains should have at least three data nodes", "AWS Config rule": "elasticsearch-data-node-fault-tolerance", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached", "AWS Config rule": "custom-schema-registry-policy-attached", "Resource type": "AWS::Events::EventBus", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EventBridge.4] EventBridge global endpoints should have event replication enabled", "AWS Config rule": "global-endpoint-event-replication-enabled", "Resource type": "AWS::Events::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes", "AWS Config rule": "fsx-openzfs-copy-tags-enabled", "Resource type": "AWS::FSx::FileSystem", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[GuardDuty.1] GuardDuty should be enabled", "AWS Config rule": "guardduty-enabled-centralized", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "AWS Config rule": "iam-policy-no-statements-with-admin-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[IAM.2] IAM users should not have IAM policies attached", "AWS Config rule": "iam-user-no-policies-check", "Resource type": "AWS::IAM::User", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.3] IAM users' access keys should be rotated every 90 days or less", "AWS Config rule": "access-keys-rotated", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.4] IAM root user access key should not exist", "AWS Config rule": "iam-root-access-key-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.5] MFA should be enabled for all IAM users that have a console password", "AWS Config rule": "mfa-enabled-for-iam-console-access", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.6] Hardware MFA should be enabled for the root user", "AWS Config rule": "root-account-hardware-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.7] Password policies for IAM users should have strong configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.8] Unused IAM user credentials should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.9] MFA should be enabled for the root user", "AWS Config rule": "root-account-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.10] Password policies for IAM users should have strong AWS Configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.11] Ensure IAM password policy requires at least one uppercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.12] Ensure IAM password policy requires at least one lowercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.13] Ensure IAM password policy requires at least one symbol", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.14] Ensure IAM password policy requires at least one number", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.16] Ensure IAM password policy prevents password reuse", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.17] Ensure IAM password policy expires passwords within 90 days or less", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.18] Ensure a support role has been created to manage incidents with AWS Support", "AWS Config rule": "iam-policy-in-use", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.19] MFA should be enabled for all IAM users", "AWS Config rule": "iam-user-mfa-enabled", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.20] Avoid the use of the root user", "AWS Config rule": "use-of-root-account-test", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services", "AWS Config rule": "iam-policy-no-statements-with-full-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.22] IAM user credentials unused for 45 days should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Kinesis.1] Kinesis streams should be encrypted at rest", "AWS Config rule": "kinesis-stream-encrypted", "Resource type": "AWS::Kinesis::Stream", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys", "AWS Config rule": "iam-customer-policy-blocked-kms-actions", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys", "AWS Config rule": "iam-inline-policy-blocked-kms-actions", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.3] AWS KMS keys should not be deleted unintentionally", "AWS Config rule": "kms-cmk-not-scheduled-for-deletion-2", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[KMS.4] AWS KMS key rotation should be enabled", "AWS Config rule": "cmk-backing-key-rotation-enabled", "Resource type": "AWS::KMS::Key", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Lambda.1] Lambda function policies should prohibit public access", "AWS Config rule": "lambda-function-public-access-prohibited", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Lambda.2] Lambda functions should use supported runtimes", "AWS Config rule": "lambda-function-settings-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Lambda.3] Lambda functions should be in a VPC", "AWS Config rule": "lambda-inside-vpc", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones", "AWS Config rule": "lambda-vpc-multi-az-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Macie.1] Macie should be enabled", "AWS Config rule": "macie-status-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[MSK.1] MSK clusters should be encrypted in transit among broker nodes", "AWS Config rule": "msk-in-cluster-node-require-tls", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[MSK.2] MSK clusters should have enhanced monitoring configured", "AWS Config rule": "msk-enhanced-monitoring-enabled", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.5] ActiveMQ brokers should use active/standby deployment mode", "AWS Config rule": "mq-active-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.6] RabbitMQ brokers should use cluster deployment mode", "AWS Config rule": "mq-rabbit-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.1] Neptune DB clusters should be encrypted at\n rest", "AWS Config rule": "neptune-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.2] Neptune DB clusters should publish audit\n logs to CloudWatch Logs", "AWS Config rule": "neptune-cluster-cloudwatch-log-export-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.3] Neptune DB cluster snapshots should not be\n public", "AWS Config rule": "neptune-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Neptune.4] Neptune DB clusters should have deletion\n protection enabled", "AWS Config rule": "neptune-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.5] Neptune DB clusters should have automated\n backups enabled", "AWS Config rule": "neptune-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.6] Neptune DB cluster snapshots should be\n encrypted at rest", "AWS Config rule": "neptune-cluster-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.7] Neptune DB clusters should have IAM\n database authentication enabled", "AWS Config rule": "neptune-cluster-iam-database-authentication", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.8] Neptune DB clusters should be configured to\n copy tags to snapshots", "AWS Config rule": "neptune-cluster-copy-tags-to-snapshot-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones", "AWS Config rule": "neptune-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones", "AWS Config rule": "netfw-multi-az-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.2] Network Firewall logging should be enabled", "AWS Config rule": "netfw-logging-enabled", "Resource type": "AWS::NetworkFirewall::LoggingConfiguration", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated", "AWS Config rule": "netfw-policy-rule-group-associated", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets", "AWS Config rule": "netfw-policy-default-action-full-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets", "AWS Config rule": "netfw-policy-default-action-fragment-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty", "AWS Config rule": "netfw-stateless-rule-group-not-empty", "Resource type": "AWS::NetworkFirewall::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled", "AWS Config rule": "netfw-deletion-protection-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.1] OpenSearch domains should have encryption at rest enabled", "AWS Config rule": "opensearch-encrypted-at-rest", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.2] OpenSearch domains should not be publicly accessible", "AWS Config rule": "opensearch-in-vpc-only", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Opensearch.3] OpenSearch domains should encrypt data sent between nodes", "AWS Config rule": "opensearch-node-to-node-encryption-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "opensearch-logs-to-cloudwatch", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.5] OpenSearch domains should have audit logging enabled", "AWS Config rule": "opensearch-audit-logging-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.6] OpenSearch domains should have at least three data nodes", "AWS Config rule": "opensearch-data-node-fault-tolerance", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "AWS Config rule": "opensearch-access-control-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2", "AWS Config rule": "opensearch-https-required", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.10] OpenSearch domains should have the latest software update installed", "AWS Config rule": "opensearch-update-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[PCA.1] AWS Private CA root certificate authority should be disabled", "AWS Config rule": "acm-pca-root-ca-disabled", "Resource type": "AWS::ACMPCA::CertificateAuthority", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[RDS.1] RDS snapshot should be private", "AWS Config rule": "rds-snapshots-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration", "AWS Config rule": "rds-instance-public-access-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.3] RDS DB instances should have encryption at-rest enabled", "AWS Config rule": "rds-storage-encrypted", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest", "AWS Config rule": "rds-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.5] RDS DB instances should be configured with multiple Availability Zones", "AWS Config rule": "rds-multi-az-support", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.6] Enhanced monitoring should be configured for RDS DB instances", "AWS Config rule": "rds-enhanced-monitoring-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.7] RDS clusters should have deletion protection enabled", "AWS Config rule": "rds-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.8] RDS DB instances should have deletion protection enabled", "AWS Config rule": "rds-instance-deletion-protection-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.9] RDS DB instances should publish logs to CloudWatch Logs", "AWS Config rule": "rds-logging-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.10] IAM authentication should be configured for RDS instances", "AWS Config rule": "rds-instance-iam-authentication-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.11] RDS instances should have automatic backups enabled", "AWS Config rule": "db-instance-backup-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.12] IAM authentication should be configured for RDS clusters", "AWS Config rule": "rds-cluster-iam-authentication-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.13] RDS automatic minor version upgrades should be enabled", "AWS Config rule": "rds-automatic-minor-version-upgrade-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.14] Amazon Aurora clusters should have backtracking enabled", "AWS Config rule": "aurora-mysql-backtracking-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.15] RDS DB clusters should be configured for multiple Availability Zones", "AWS Config rule": "rds-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.16] RDS DB clusters should be configured to copy tags to snapshots", "AWS Config rule": "rds-cluster-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.17] RDS DB instances should be configured to copy tags to snapshots", "AWS Config rule": "rds-instance-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.18] RDS instances should be deployed in a VPC", "AWS Config rule": "rds-deployed-in-vpc", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events", "AWS Config rule": "rds-cluster-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events", "AWS Config rule": "rds-instance-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events", "AWS Config rule": "rds-pg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.22] An RDS event notifications subscription should be configured for critical database security group events", "AWS Config rule": "rds-sg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.23] RDS instances should not use a database engine default port", "AWS Config rule": "rds-no-default-ports", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.24] RDS Database clusters should use a custom administrator username", "AWS Config rule": "rds-cluster-default-admin-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.25] RDS database instances should use a custom administrator username", "AWS Config rule": "rds-instance-default-admin-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.26] RDS DB instances should be protected by a backup plan", "AWS Config rule": "rds-resources-protected-by-backup-plan", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[RDS.27] RDS DB clusters should be encrypted at rest", "AWS Config rule": "rds-cluster-encrypted-at-rest", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "rds-aurora-mysql-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled", "AWS Config rule": "rds-cluster-auto-minor-version-upgrade-enable", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.1] Amazon Redshift clusters should prohibit public access", "AWS Config rule": "redshift-cluster-public-access-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit", "AWS Config rule": "redshift-require-tls-ssl", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled", "AWS Config rule": "redshift-backup-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.4] Amazon Redshift clusters should have audit logging enabled", "AWS Config rule": "redshift-cluster-audit-logging-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled", "AWS Config rule": "redshift-cluster-maintenancesettings-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.7] Redshift clusters should use enhanced VPC routing", "AWS Config rule": "redshift-enhanced-vpc-routing-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.8] Amazon Redshift clusters should not use the default Admin username", "AWS Config rule": "redshift-default-admin-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.9] Redshift clusters should not use the default database name", "AWS Config rule": "redshift-default-db-name-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.10] Redshift clusters should be encrypted at rest", "AWS Config rule": "redshift-cluster-kms-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Route53.2] Route 53 public hosted zones should log DNS queries", "AWS Config rule": "route53-query-logging-enabled", "Resource type": "AWS::Route53::HostedZone", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.1] S3 Block Public Access setting should be enabled", "AWS Config rule": "s3-account-level-public-access-blocks-periodic", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[S3.2] S3 buckets should prohibit public read access", "AWS Config rule": "s3-bucket-public-read-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.3] S3 buckets should prohibit public write access", "AWS Config rule": "s3-bucket-public-write-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.5] S3 buckets should require requests to use Secure Socket Layer", "AWS Config rule": "s3-bucket-ssl-requests-only", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "AWS Config rule": "s3-bucket-blacklisted-actions-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.7] S3 buckets should have cross-Region replication enabled", "AWS Config rule": "s3-bucket-replication-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "AWS Config rule": "s3-bucket-level-public-access-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.9] S3 bucket server access logging should be enabled", "AWS Config rule": "s3-bucket-logging-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured", "AWS Config rule": "s3-version-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.11] S3 buckets should have event notifications enabled", "AWS Config rule": "s3-event-notifications-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets", "AWS Config rule": "s3-bucket-acl-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.13] S3 buckets should have lifecycle policies configured", "AWS Config rule": "s3-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.14] S3 buckets should use versioning", "AWS Config rule": "s3-bucket-versioning-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.15] S3 buckets should be configured to use Object Lock", "AWS Config rule": "s3-bucket-default-lock-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys", "AWS Config rule": "s3-default-encryption-kms", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.19] S3 access points should have block public access settings enabled", "AWS Config rule": "s3-access-point-public-access-blocks", "Resource type": "AWS::S3::AccessPoint", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.20] S3 general purpose buckets should have MFA delete enabled", "AWS Config rule": "s3-bucket-mfa-delete-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "AWS Config rule": "sagemaker-notebook-no-direct-internet-access", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "AWS Config rule": "sagemaker-notebook-instance-inside-vpc", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "AWS Config rule": "sagemaker-notebook-instance-root-access-check", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled", "AWS Config rule": "secretsmanager-rotation-enabled-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully", "AWS Config rule": "secretsmanager-scheduled-rotation-success-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.3] Remove unused Secrets Manager secrets", "AWS Config rule": "secretsmanager-secret-unused", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days", "AWS Config rule": "secretsmanager-secret-periodic-rotation", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SNS.1] SNS topics should be encrypted at-rest using AWS KMS", "AWS Config rule": "sns-encrypted-kms", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic", "AWS Config rule": "sns-topic-message-delivery-notification-enabled", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SQS.1] Amazon SQS queues should be encrypted at rest", "AWS Config rule": "sqs-queue-encrypted", "Resource type": "AWS::SQS::Queue", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[StepFunctions.1] Step Functions state machines should have\n logging turned on", "AWS Config rule": "step-functions-state-machine-logging-enabled", "Resource type": "AWS::StepFunctions::StateMachine", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled", "AWS Config rule": "waf-classic-logging-enabled", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[WAF.2] AWS WAF Classic Regional rules should have at least one condition", "AWS Config rule": "waf-regional-rule-not-empty", "Resource type": "AWS::WAFRegional::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule", "AWS Config rule": "waf-regional-rulegroup-not-empty", "Resource type": "AWS::WAFRegional::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-regional-webacl-not-empty", "Resource type": "AWS::WAFRegional::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.6] AWS WAF Classic global rules should have at least one condition", "AWS Config rule": "waf-global-rule-not-empty", "Resource type": "AWS::WAF::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.7] AWS WAF Classic global rule groups should have at least one rule", "AWS Config rule": "waf-global-rulegroup-not-empty", "Resource type": "AWS::WAF::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-global-webacl-not-empty", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.10] AWS WAF web ACLs should have at least one rule or rule group", "AWS Config rule": "wafv2-webacl-not-empty", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.11] AWS WAF web ACL logging should be enabled", "AWS Config rule": "wafv2-logging-enabled", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[WAF.12] AWS WAF rules should have CloudWatch metrics enabled", "AWS Config rule": "wafv2-rulegroup-logging-enabled", "Resource type": "AWS::WAFv2::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" } ] Filtering with Jq Command (Severity = Critical or High)
from datetime import datetime import json import requests import os import sys import logging from bs4 import BeautifulSoup
LOG_LEVEL = logging.INFO URLS = [ “https://docs.aws.amazon.com/securityhub/latest/userguide/account-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/appsync-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/athena-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/backup-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudformation-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/codebuild-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/documentdb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/dynamodb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elasticbeanstalk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/emr-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/eventbridge-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kinesis-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/macie-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/msk-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/pca-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/route53-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/stepfunctions-controls.html”, “https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html”] SEARCH_STRINGS = { “AWS Config rule”: “code”, “Resource type”: “code”, “Schedule type”: “text”, “Severity”: “text” } FIND_ELEMENT_NAME = “h2” FIND_NEXT_SIBLINGS = “p”
class TimeFormatter(logging.Formatter): converter = datetime.fromtimestamp
def formatTime(self, record, datefmt=None): dt = self.converter(record.created) if datefmt: s = dt.strftime(datefmt) else: t = dt.strftime(self.default_time_format) s = self.default_msec_format % (t, record.msecs) return s
def init_logger(): logger = logging.getLogger(name)
log_format_string = json.dumps({ 'logLevel': '%(levelname)s', 'time': '%(asctime)s', 'line': "%(filename)s: %(lineno)d", 'message': '%(message)s', }, indent=None) handler = logging.StreamHandler(sys.stdout) handler.setFormatter((TimeFormatter(log_format_string))) logger.addHandler(handler) logger.propagate = False logger.setLevel(LOG_LEVEL) return logger
def main(): logger = init_logger()
result = [] for url in URLS: response = requests.get(url) response.encoding = response.apparent_encoding soup = BeautifulSoup(response.text, 'html.parser') find_elements = soup.find_all(FIND_ELEMENT_NAME) for find_element in find_elements: next_siblings = find_element.find_next_siblings(FIND_NEXT_SIBLINGS) entry = {"find_element.text": find_element.text} logger.debug(f"find_element: {find_element}") for search_string, method in SEARCH_STRINGS.items(): for sibling in next_siblings: if search_string in sibling.text: if method == "text": value = sibling.b.next_sibling.strip() entry[search_string] = value logger.debug(f"search_string: {search_string}, value: {value}") break else: value_element = sibling.find(method, {'class': 'code'}) if value_element: entry[search_string] = value_element.text logger.debug(f"search_string: {search_string}, value: {value_element.text}") break if search_string not in entry: entry[search_string] = "Not Found" logger.debug(f"search_string: {search_string}, value: None") result.append(entry) if not os.path.exists('.output'): os.makedirs('.output') now = datetime.now().strftime('%Y%m%d%H%M%S') with open(f'.output/result_{now}.json', 'w', encoding='utf-8') as f: json.dump(result, f, ensure_ascii=False) logger.info(f"Successfully saved the result to .output/result_{now}.json")
if name == “main”: main()
## JSON File of Retrieved AWS Security Hub Control References - The actual contents of the retrieved JSON file are as follows. - Some items are marked as `Not Found`, which means that the keywords specified in the `SEARCH_STRINGS` variable were not found. <details> <summary>JSON of AWS Security Hub Control References</summary> ```json [ { "find_element.text": "[Account.1] Security contact information should be provided for an AWS account", "AWS Config rule": "security-account-information-provided", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "AWS Config rule": "account-part-of-organizations", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period", "AWS Config rule": "acm-certificate-expiration-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered and periodic", "Severity": "Medium" }, { "find_element.text": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "AWS Config rule": "acm-certificate-rsa-check", "Resource type": "AWS::ACM::Certificate", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[APIGateway.1] API Gateway REST and WebSocket API execution logging\n should be enabled", "AWS Config rule": "api-gw-execution-logging-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.2] API Gateway REST API stages should be configured to use\n SSL certificates for backend authentication", "AWS Config rule": "api-gw-ssl-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.3] API Gateway REST API stages should have AWS X-Ray\n tracing enabled", "AWS Config rule": "api-gw-xray-enabled", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[APIGateway.4] API Gateway should be associated with a WAF Web\n ACL", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.5] API Gateway REST API cache data should be encrypted at\n rest", "AWS Config rule": "api-gw-cache-encrypted", "Resource type": "AWS::ApiGateway::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[APIGateway.8] API Gateway routes should specify an authorization\n type", "AWS Config rule": "api-gwv2-authorization-type-configured", "Resource type": "AWS::ApiGatewayV2::Route", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[APIGateway.9] Access logging should be configured for API Gateway V2\n Stages", "AWS Config rule": "api-gwv2-access-logs-enabled", "Resource type": "AWS::ApiGatewayV2::Stage", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.2] AWS AppSync should have field-level logging enabled", "AWS Config rule": "appsync-logging-enabled", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "AWS Config rule": "appsync-authorization-check", "Resource type": "AWS::AppSync::GraphQLApi", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Athena.1] Athena workgroups should be encrypted at\n rest", "AWS Config rule": "athena-workgroup-encrypted-at-rest", "Resource type": "AWS::Athena::WorkGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Backup.1] AWS Backup recovery points should be encrypted at rest", "AWS Config rule": "backup-recovery-point-encrypted", "Resource type": "AWS::Backup::RecoveryPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS)", "AWS Config rule": "cloudformation-stack-notification-check", "Resource type": "AWS::CloudFormation::Stack", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.1] CloudFront distributions should have a default root object configured", "AWS Config rule": "cloudfront-default-root-object-configured", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudFront.3] CloudFront distributions should require encryption in transit", "AWS Config rule": "cloudfront-viewer-policy-https", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.4] CloudFront distributions should have origin failover configured", "AWS Config rule": "cloudfront-origin-failover-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.5] CloudFront distributions should have logging enabled", "AWS Config rule": "cloudfront-accesslogs-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.6] CloudFront distributions should have WAF enabled", "AWS Config rule": "cloudfront-associated-with-waf", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates", "AWS Config rule": "cloudfront-custom-ssl-certificate", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests", "AWS Config rule": "cloudfront-sni-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins", "AWS Config rule": "cloudfront-traffic-to-origin-encrypted", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins", "AWS Config rule": "cloudfront-no-deprecated-ssl-protocols", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "AWS Config rule": "cloudfront-s3-origin-non-existent-bucket", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudFront.13] CloudFront distributions should use origin access control", "AWS Config rule": "cloudfront-s3-origin-access-control-enabled", "Resource type": "AWS::CloudFront::Distribution", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "AWS Config rule": "multi-region-cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.2] CloudTrail should have encryption at-rest enabled", "AWS Config rule": "cloud-trail-encryption-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudTrail.3] CloudTrail should be enabled", "AWS Config rule": "cloudtrail-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[CloudTrail.4] CloudTrail log file validation should be enabled", "AWS Config rule": "cloud-trail-log-file-validation-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs", "AWS Config rule": "cloud-trail-cloud-watch-logs-enabled", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic and change\n triggered", "Severity": "Critical" }, { "find_element.text": "[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", "AWS Config rule": "Not Found", "Resource type": "AWS::CloudTrail::Trail", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.1] A log metric filter and alarm should exist for usage of the \"root\" user", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::Logs::MetricFilter", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "AWS Config rule": "cloudwatch-alarm-action-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CloudWatch.16] CloudWatch log groups should be retained for a specified time period", "AWS Config rule": "cw-loggroup-retention-period-check", "Resource type": "AWS::Logs::LogGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[CloudWatch.17] CloudWatch alarm actions should be activated", "AWS Config rule": "cloudwatch-alarm-action-enabled-check", "Resource type": "AWS::CloudWatch::Alarm", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials", "AWS Config rule": "codebuild-project-source-repo-url-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials", "AWS Config rule": "codebuild-project-envvar-awscred-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[CodeBuild.3] CodeBuild S3 logs should be encrypted", "AWS Config rule": "codebuild-project-s3-logs-encrypted", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration", "AWS Config rule": "codebuild-project-logging-enabled", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "AWS Config rule": "codebuild-project-environment-privileged-check", "Resource type": "AWS::CodeBuild::Project", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Config.1] AWS Config should be enabled", "AWS Config rule": "Not Found", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DMS.1] Database Migration Service replication instances should not be public", "AWS Config rule": "dms-replication-not-public", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[DMS.6] DMS replication instances should have automatic minor version upgrade enabled", "AWS Config rule": "dms-auto-minor-version-upgrade-enabled", "Resource type": "AWS::DMS::ReplicationInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.7] DMS replication tasks for the target database should have logging enabled", "AWS Config rule": "dms-replication-task-targetdb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.8] DMS replication tasks for the source database should have logging enabled", "AWS Config rule": "dms-replication-task-sourcedb-logging", "Resource type": "AWS::DMS::ReplicationTask", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DMS.9] DMS endpoints should use SSL", "AWS Config rule": "dms-endpoint-ssl-configured", "Resource type": "AWS::DMS::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at\n rest", "AWS Config rule": "docdb-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period", "AWS Config rule": "docdb-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public", "AWS Config rule": "docdb-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "docdb-cluster-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled", "AWS Config rule": "docdb-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand", "AWS Config rule": "dynamodb-autoscaling-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled", "AWS Config rule": "dynamodb-pitr-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest", "AWS Config rule": "dax-encryption-enabled", "Resource type": "AWS::DynamoDB::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.4] DynamoDB tables should be present in a backup plan", "AWS Config rule": "dynamodb-resources-protected-by-backup-plan", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[DynamoDB.6] DynamoDB tables should have deletion protection enabled", "AWS Config rule": "dynamodb-table-deletion-protection-enabled", "Resource type": "AWS::DynamoDB::Table", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.1] ECR private repositories should have image scanning configured", "AWS Config rule": "ecr-private-image-scanning-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ECR.2] ECR private repositories should have tag immutability configured", "AWS Config rule": "ecr-private-tag-immutability-enabled", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECR.3] ECR repositories should have at least one lifecycle policy configured", "AWS Config rule": "ecr-private-lifecycle-policy-configured", "Resource type": "AWS::ECR::Repository", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "AWS Config rule": "ecs-task-definition-user-for-host-mode-check", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.3] ECS task definitions should not share the host's process namespace", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.4] ECS containers should run as non-privileged", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.8] Secrets should not be passed as container environment variables", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.9] ECS task definitions should have a logging configuration", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::TaskDefinition", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ECS.10] ECS Fargate services should run on the latest Fargate platform version", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Service", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ECS.12] ECS clusters should use Container Insights", "AWS Config rule": "Not Found", "Resource type": "AWS::ECS::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.1] Amazon EBS snapshots should not be publicly restorable", "AWS Config rule": "ebs-snapshot-public-restorable-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "AWS Config rule": "vpc-default-security-group-closed", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest", "AWS Config rule": "encrypted-volumes", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.4] Stopped EC2 instances should be removed after a specified time period", "AWS Config rule": "ec2-stopped-instance", "Resource type": "AWS::EC2::Instance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.6] VPC flow logging should be enabled in all VPCs", "AWS Config rule": "vpc-flow-logs-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.7] EBS default encryption should be enabled", "AWS Config rule": "ec2-ebs-encryption-by-default", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "ec2-imdsv2-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "AWS Config rule": "ec2-instance-no-public-ip", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service", "AWS Config rule": "service-vpc-endpoint-enabled", "Resource type": "AWS::EC2::VPC", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.12] Unused Amazon EC2 EIPs should be removed", "AWS Config rule": "eip-attached", "Resource type": "AWS::EC2::EIP", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "AWS Config rule": "restricted-ssh", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "AWS Config rule": "restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.15] Amazon EC2 subnets should not automatically assign\n public IP addresses", "AWS Config rule": "subnet-auto-assign-public-ip-disabled", "Resource type": "AWS::EC2::Subnet", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.16] Unused Network Access Control Lists should be\n removed", "AWS Config rule": "vpc-network-acl-unused-check", "Resource type": "AWS::EC2::NetworkAcl", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.17] Amazon EC2 instances should not use multiple\n ENIs", "AWS Config rule": "ec2-instance-multiple-eni-check", "Resource type": "AWS::EC2::Instance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "AWS Config rule": "vpc-sg-open-only-to-authorized-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.19] Security groups should not allow unrestricted\n access to ports with high risk", "AWS Config rule": "vpc-sg-restricted-common-ports", "Resource type": "AWS::EC2::SecurityGroup", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN\n connection should be up", "AWS Config rule": "vpc-vpn-2-tunnels-up", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.21] Network ACLs should not allow ingress from\n 0.0.0.0/0 to port 22 or port 3389", "AWS Config rule": "nacl-no-unrestricted-ssh-rdp", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.22] Unused Amazon EC2 security groups should be\n removed", "AWS Config rule": "ec2-security-group-attached-to-eni-periodic", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "AWS Config rule": "ec2-transit-gateway-auto-vpc-attach-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.24] Amazon EC2 paravirtual instance types should not be\n used", "AWS Config rule": "ec2-paravirtual-instance-check", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "AWS Config rule": "ec2-launch-template-public-ip-disabled", "Resource type": "AWS::EC2::Volume", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EC2.28] EBS volumes should be covered by a backup\n plan", "AWS Config rule": "ebs-resources-protected-by-backup-plan", "Resource type": "AWS::EC2::Volume", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled", "AWS Config rule": "ec2-client-vpn-connection-log-enabled", "Resource type": "AWS::EC2::ClientVpnEndpoint", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks", "AWS Config rule": "autoscaling-group-elb-healthcheck-required", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-az", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "AWS Config rule": "autoscaling-launchconfig-requires-imdsv2", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "AWS Config rule": "autoscaling-launch-config-hop-limit", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "AWS Config rule": "autoscaling-launch-config-public-ip-disabled", "Resource type": "AWS::AutoScaling::LaunchConfiguration", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones", "AWS Config rule": "autoscaling-multiple-instance-types", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates", "AWS Config rule": "autoscaling-launch-template", "Resource type": "AWS::AutoScaling::AutoScalingGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager", "AWS Config rule": "ec2-instance-managed-by-systems-manager", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "AWS Config rule": "ec2-managedinstance-patch-compliance-status-check", "Resource type": "AWS::SSM::PatchCompliance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT", "AWS Config rule": "ec2-managedinstance-association-compliance-status-check", "Resource type": "AWS::SSM::AssociationCompliance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SSM.4] SSM documents should not be public", "AWS Config rule": "ssm-document-not-public", "Resource type": "AWS::SSM::Document", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS", "AWS Config rule": "efs-encrypted-check", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.2] Amazon EFS volumes should be in backup plans", "AWS Config rule": "efs-in-backup-plan", "Resource type": "AWS::EFS::FileSystem", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[EFS.3] EFS access points should enforce a root directory", "AWS Config rule": "efs-access-point-enforce-root-directory", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EFS.4] EFS access points should enforce a user identity", "AWS Config rule": "efs-access-point-enforce-user-identity", "Resource type": "AWS::EFS::AccessPoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "AWS Config rule": "eks-endpoint-no-public-access", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "AWS Config rule": "eks-cluster-supported-version", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[EKS.8] EKS clusters should have audit logging enabled", "AWS Config rule": "eks-cluster-logging-enabled", "Resource type": "AWS::EKS::Cluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "AWS Config rule": "elasticache-redis-cluster-automatic-backup-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "AWS Config rule": "elasticache-auto-minor-version-upgrade-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElastiCache.3] ElastiCache for Redis replication groups should have automatic failover enabled", "AWS Config rule": "elasticache-repl-grp-auto-failover-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.4] ElastiCache for Redis replication groups should be encrypted at rest", "AWS Config rule": "elasticache-repl-grp-encrypted-at-rest", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.5] ElastiCache for Redis replication groups should be encrypted in transit", "AWS Config rule": "elasticache-repl-grp-encrypted-in-transit", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.6] ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH", "AWS Config rule": "elasticache-repl-grp-redis-auth-enabled", "Resource type": "AWS::ElastiCache::ReplicationGroup", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "AWS Config rule": "elasticache-subnet-group-check", "Resource type": "AWS::ElastiCache::CacheCluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled", "AWS Config rule": "beanstalk-enhanced-health-reporting-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "AWS Config rule": "elastic-beanstalk-managed-updates-enabled", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "AWS Config rule": "elastic-beanstalk-logs-to-cloudwatch", "Resource type": "AWS::ElasticBeanstalk::Environment", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS", "AWS Config rule": "alb-http-to-https-redirection-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager", "AWS Config rule": "elb-acm-certificate-required", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination", "AWS Config rule": "elb-tls-https-listeners-only", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.4] Application Load Balancer should be configured to drop http headers", "AWS Config rule": "alb-http-drop-invalid-header-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.5] Application and Classic Load Balancers logging should be enabled", "AWS Config rule": "elb-logging-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.6] Application Load Balancer deletion protection should be enabled", "AWS Config rule": "elb-deletion-protection-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.7] Classic Load Balancers should have connection draining enabled", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration", "AWS Config rule": "elb-predefined-security-policy-ssl-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled", "AWS Config rule": "elb-cross-zone-load-balancing-enabled", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.10] Classic Load Balancer should span multiple Availability Zones", "AWS Config rule": "clb-multiple-az", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "alb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones", "AWS Config rule": "elbv2-multiple-az", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode", "AWS Config rule": "clb-desync-mode-check", "Resource type": "AWS::ElasticLoadBalancing::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL", "AWS Config rule": "alb-waf-enabled", "Resource type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "AWS Config rule": "emr-master-no-public-ip", "Resource type": "AWS::EMR::Cluster", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[EMR.2] Amazon EMR block public access setting should be enabled", "AWS Config rule": "emr-block-public-access", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.1] Elasticsearch domains should have encryption at-rest enabled", "AWS Config rule": "elasticsearch-encrypted-at-rest", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[ES.2] Elasticsearch domains should not be publicly accessible", "AWS Config rule": "elasticsearch-in-vpc-only", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[ES.3] Elasticsearch domains should encrypt data sent between nodes", "AWS Config rule": "elasticsearch-node-to-node-encryption-check", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "elasticsearch-logs-to-cloudwatch", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.5] Elasticsearch domains should have audit logging enabled", "AWS Config rule": "elasticsearch-audit-logging-enabled", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.6] Elasticsearch domains should have at least three data nodes", "AWS Config rule": "elasticsearch-data-node-fault-tolerance", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2", "AWS Config rule": "elasticsearch-https-required", "Resource type": "AWS::Elasticsearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached", "AWS Config rule": "custom-schema-registry-policy-attached", "Resource type": "AWS::Events::EventBus", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[EventBridge.4] EventBridge global endpoints should have event replication enabled", "AWS Config rule": "global-endpoint-event-replication-enabled", "Resource type": "AWS::Events::Endpoint", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes", "AWS Config rule": "fsx-openzfs-copy-tags-enabled", "Resource type": "AWS::FSx::FileSystem", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[GuardDuty.1] GuardDuty should be enabled", "AWS Config rule": "guardduty-enabled-centralized", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "AWS Config rule": "iam-policy-no-statements-with-admin-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[IAM.2] IAM users should not have IAM policies attached", "AWS Config rule": "iam-user-no-policies-check", "Resource type": "AWS::IAM::User", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.3] IAM users' access keys should be rotated every 90 days or less", "AWS Config rule": "access-keys-rotated", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.4] IAM root user access key should not exist", "AWS Config rule": "iam-root-access-key-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.5] MFA should be enabled for all IAM users that have a console password", "AWS Config rule": "mfa-enabled-for-iam-console-access", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.6] Hardware MFA should be enabled for the root user", "AWS Config rule": "root-account-hardware-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.7] Password policies for IAM users should have strong configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.8] Unused IAM user credentials should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.9] MFA should be enabled for the root user", "AWS Config rule": "root-account-mfa-enabled", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Critical" }, { "find_element.text": "[IAM.10] Password policies for IAM users should have strong AWS Configurations", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.11] Ensure IAM password policy requires at least one uppercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.12] Ensure IAM password policy requires at least one lowercase letter", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.13] Ensure IAM password policy requires at least one symbol", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.14] Ensure IAM password policy requires at least one number", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.16] Ensure IAM password policy prevents password reuse", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.17] Ensure IAM password policy expires passwords within 90 days or less", "AWS Config rule": "iam-password-policy", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.18] Ensure a support role has been created to manage incidents with AWS Support", "AWS Config rule": "iam-policy-in-use", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.19] MFA should be enabled for all IAM users", "AWS Config rule": "iam-user-mfa-enabled", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[IAM.20] Avoid the use of the root user", "AWS Config rule": "use-of-root-account-test", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services", "AWS Config rule": "iam-policy-no-statements-with-full-access", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[IAM.22] IAM user credentials unused for 45 days should be removed", "AWS Config rule": "iam-user-unused-credentials-check", "Resource type": "AWS::IAM::User", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Kinesis.1] Kinesis streams should be encrypted at rest", "AWS Config rule": "kinesis-stream-encrypted", "Resource type": "AWS::Kinesis::Stream", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys", "AWS Config rule": "iam-customer-policy-blocked-kms-actions", "Resource type": "AWS::IAM::Policy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys", "AWS Config rule": "iam-inline-policy-blocked-kms-actions", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[KMS.3] AWS KMS keys should not be deleted unintentionally", "AWS Config rule": "kms-cmk-not-scheduled-for-deletion-2", "Resource type": "AWS::KMS::Key", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[KMS.4] AWS KMS key rotation should be enabled", "AWS Config rule": "cmk-backing-key-rotation-enabled", "Resource type": "AWS::KMS::Key", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Lambda.1] Lambda function policies should prohibit public access", "AWS Config rule": "lambda-function-public-access-prohibited", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Lambda.2] Lambda functions should use supported runtimes", "AWS Config rule": "lambda-function-settings-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Lambda.3] Lambda functions should be in a VPC", "AWS Config rule": "lambda-inside-vpc", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones", "AWS Config rule": "lambda-vpc-multi-az-check", "Resource type": "AWS::Lambda::Function", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Macie.1] Macie should be enabled", "AWS Config rule": "macie-status-check", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[MSK.1] MSK clusters should be encrypted in transit among broker nodes", "AWS Config rule": "msk-in-cluster-node-require-tls", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[MSK.2] MSK clusters should have enhanced monitoring configured", "AWS Config rule": "msk-enhanced-monitoring-enabled", "Resource type": "AWS::MSK::Cluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.5] ActiveMQ brokers should use active/standby deployment mode", "AWS Config rule": "mq-active-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[MQ.6] RabbitMQ brokers should use cluster deployment mode", "AWS Config rule": "mq-rabbit-deployment-mode", "Resource type": "AWS::AmazonMQ::Broker", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.1] Neptune DB clusters should be encrypted at\n rest", "AWS Config rule": "neptune-cluster-encrypted", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.2] Neptune DB clusters should publish audit\n logs to CloudWatch Logs", "AWS Config rule": "neptune-cluster-cloudwatch-log-export-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[Neptune.3] Neptune DB cluster snapshots should not be\n public", "AWS Config rule": "neptune-cluster-snapshot-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Neptune.4] Neptune DB clusters should have deletion\n protection enabled", "AWS Config rule": "neptune-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.5] Neptune DB clusters should have automated\n backups enabled", "AWS Config rule": "neptune-cluster-backup-retention-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.6] Neptune DB cluster snapshots should be\n encrypted at rest", "AWS Config rule": "neptune-cluster-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.7] Neptune DB clusters should have IAM\n database authentication enabled", "AWS Config rule": "neptune-cluster-iam-database-authentication", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Neptune.8] Neptune DB clusters should be configured to\n copy tags to snapshots", "AWS Config rule": "neptune-cluster-copy-tags-to-snapshot-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones", "AWS Config rule": "neptune-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones", "AWS Config rule": "netfw-multi-az-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.2] Network Firewall logging should be enabled", "AWS Config rule": "netfw-logging-enabled", "Resource type": "AWS::NetworkFirewall::LoggingConfiguration", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated", "AWS Config rule": "netfw-policy-rule-group-associated", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets", "AWS Config rule": "netfw-policy-default-action-full-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets", "AWS Config rule": "netfw-policy-default-action-fragment-packets", "Resource type": "AWS::NetworkFirewall::FirewallPolicy", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty", "AWS Config rule": "netfw-stateless-rule-group-not-empty", "Resource type": "AWS::NetworkFirewall::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled", "AWS Config rule": "netfw-deletion-protection-enabled", "Resource type": "AWS::NetworkFirewall::Firewall", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.1] OpenSearch domains should have encryption at rest enabled", "AWS Config rule": "opensearch-encrypted-at-rest", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.2] OpenSearch domains should not be publicly accessible", "AWS Config rule": "opensearch-in-vpc-only", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Opensearch.3] OpenSearch domains should encrypt data sent between nodes", "AWS Config rule": "opensearch-node-to-node-encryption-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled", "AWS Config rule": "opensearch-logs-to-cloudwatch", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.5] OpenSearch domains should have audit logging enabled", "AWS Config rule": "opensearch-audit-logging-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.6] OpenSearch domains should have at least three data nodes", "AWS Config rule": "opensearch-data-node-fault-tolerance", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "AWS Config rule": "opensearch-access-control-enabled", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[Opensearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2", "AWS Config rule": "opensearch-https-required", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Opensearch.10] OpenSearch domains should have the latest software update installed", "AWS Config rule": "opensearch-update-check", "Resource type": "AWS::OpenSearch::Domain", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[PCA.1] AWS Private CA root certificate authority should be disabled", "AWS Config rule": "acm-pca-root-ca-disabled", "Resource type": "AWS::ACMPCA::CertificateAuthority", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[RDS.1] RDS snapshot should be private", "AWS Config rule": "rds-snapshots-public-prohibited", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration", "AWS Config rule": "rds-instance-public-access-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[RDS.3] RDS DB instances should have encryption at-rest enabled", "AWS Config rule": "rds-storage-encrypted", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest", "AWS Config rule": "rds-snapshot-encrypted", "Resource type": "AWS::RDS::DBClusterSnapshot", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.5] RDS DB instances should be configured with multiple Availability Zones", "AWS Config rule": "rds-multi-az-support", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.6] Enhanced monitoring should be configured for RDS DB instances", "AWS Config rule": "rds-enhanced-monitoring-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.7] RDS clusters should have deletion protection enabled", "AWS Config rule": "rds-cluster-deletion-protection-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.8] RDS DB instances should have deletion protection enabled", "AWS Config rule": "rds-instance-deletion-protection-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.9] RDS DB instances should publish logs to CloudWatch Logs", "AWS Config rule": "rds-logging-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.10] IAM authentication should be configured for RDS instances", "AWS Config rule": "rds-instance-iam-authentication-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.11] RDS instances should have automatic backups enabled", "AWS Config rule": "db-instance-backup-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.12] IAM authentication should be configured for RDS clusters", "AWS Config rule": "rds-cluster-iam-authentication-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.13] RDS automatic minor version upgrades should be enabled", "AWS Config rule": "rds-automatic-minor-version-upgrade-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.14] Amazon Aurora clusters should have backtracking enabled", "AWS Config rule": "aurora-mysql-backtracking-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.15] RDS DB clusters should be configured for multiple Availability Zones", "AWS Config rule": "rds-cluster-multi-az-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.16] RDS DB clusters should be configured to copy tags to snapshots", "AWS Config rule": "rds-cluster-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.17] RDS DB instances should be configured to copy tags to snapshots", "AWS Config rule": "rds-instance-copy-tags-to-snapshots-enabled", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.18] RDS instances should be deployed in a VPC", "AWS Config rule": "rds-deployed-in-vpc", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events", "AWS Config rule": "rds-cluster-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events", "AWS Config rule": "rds-instance-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events", "AWS Config rule": "rds-pg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.22] An RDS event notifications subscription should be configured for critical database security group events", "AWS Config rule": "rds-sg-event-notifications-configured", "Resource type": "AWS::RDS::EventSubscription", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.23] RDS instances should not use a database engine default port", "AWS Config rule": "rds-no-default-ports", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[RDS.24] RDS Database clusters should use a custom administrator username", "AWS Config rule": "rds-cluster-default-admin-check", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.25] RDS database instances should use a custom administrator username", "AWS Config rule": "rds-instance-default-admin-check", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.26] RDS DB instances should be protected by a backup plan", "AWS Config rule": "rds-resources-protected-by-backup-plan", "Resource type": "AWS::RDS::DBInstance", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[RDS.27] RDS DB clusters should be encrypted at rest", "AWS Config rule": "rds-cluster-encrypted-at-rest", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs", "AWS Config rule": "rds-aurora-mysql-audit-logging-enabled", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled", "AWS Config rule": "rds-cluster-auto-minor-version-upgrade-enable", "Resource type": "AWS::RDS::DBCluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.1] Amazon Redshift clusters should prohibit public access", "AWS Config rule": "redshift-cluster-public-access-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit", "AWS Config rule": "redshift-require-tls-ssl", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled", "AWS Config rule": "redshift-backup-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.4] Amazon Redshift clusters should have audit logging enabled", "AWS Config rule": "redshift-cluster-audit-logging-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled", "AWS Config rule": "redshift-cluster-maintenancesettings-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.7] Redshift clusters should use enhanced VPC routing", "AWS Config rule": "redshift-enhanced-vpc-routing-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.8] Amazon Redshift clusters should not use the default Admin username", "AWS Config rule": "redshift-default-admin-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.9] Redshift clusters should not use the default database name", "AWS Config rule": "redshift-default-db-name-check", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Redshift.10] Redshift clusters should be encrypted at rest", "AWS Config rule": "redshift-cluster-kms-enabled", "Resource type": "AWS::Redshift::Cluster", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[Route53.2] Route 53 public hosted zones should log DNS queries", "AWS Config rule": "route53-query-logging-enabled", "Resource type": "AWS::Route53::HostedZone", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.1] S3 Block Public Access setting should be enabled", "AWS Config rule": "s3-account-level-public-access-blocks-periodic", "Resource type": "AWS::::Account", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[S3.2] S3 buckets should prohibit public read access", "AWS Config rule": "s3-bucket-public-read-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.3] S3 buckets should prohibit public write access", "AWS Config rule": "s3-bucket-public-write-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Periodic and change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.5] S3 buckets should require requests to use Secure Socket Layer", "AWS Config rule": "s3-bucket-ssl-requests-only", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "AWS Config rule": "s3-bucket-blacklisted-actions-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.7] S3 buckets should have cross-Region replication enabled", "AWS Config rule": "s3-bucket-replication-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "AWS Config rule": "s3-bucket-level-public-access-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[S3.9] S3 bucket server access logging should be enabled", "AWS Config rule": "s3-bucket-logging-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured", "AWS Config rule": "s3-version-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.11] S3 buckets should have event notifications enabled", "AWS Config rule": "s3-event-notifications-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets", "AWS Config rule": "s3-bucket-acl-prohibited", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.13] S3 buckets should have lifecycle policies configured", "AWS Config rule": "s3-lifecycle-policy-check", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.14] S3 buckets should use versioning", "AWS Config rule": "s3-bucket-versioning-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[S3.15] S3 buckets should be configured to use Object Lock", "AWS Config rule": "s3-bucket-default-lock-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.17] S3 buckets should be encrypted at rest with AWS KMS keys", "AWS Config rule": "s3-default-encryption-kms", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[S3.19] S3 access points should have block public access settings enabled", "AWS Config rule": "s3-access-point-public-access-blocks", "Resource type": "AWS::S3::AccessPoint", "Schedule type": "Change triggered", "Severity": "Critical" }, { "find_element.text": "[S3.20] S3 general purpose buckets should have MFA delete enabled", "AWS Config rule": "s3-bucket-mfa-delete-enabled", "Resource type": "AWS::S3::Bucket", "Schedule type": "Change triggered", "Severity": "Low" }, { "find_element.text": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "AWS Config rule": "sagemaker-notebook-no-direct-internet-access", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Periodic", "Severity": "High" }, { "find_element.text": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "AWS Config rule": "sagemaker-notebook-instance-inside-vpc", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "AWS Config rule": "sagemaker-notebook-instance-root-access-check", "Resource type": "AWS::SageMaker::NotebookInstance", "Schedule type": "Change triggered", "Severity": "High" }, { "find_element.text": "[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled", "AWS Config rule": "secretsmanager-rotation-enabled-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully", "AWS Config rule": "secretsmanager-scheduled-rotation-success-check", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.3] Remove unused Secrets Manager secrets", "AWS Config rule": "secretsmanager-secret-unused", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days", "AWS Config rule": "secretsmanager-secret-periodic-rotation", "Resource type": "AWS::SecretsManager::Secret", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[SNS.1] SNS topics should be encrypted at-rest using AWS KMS", "AWS Config rule": "sns-encrypted-kms", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic", "AWS Config rule": "sns-topic-message-delivery-notification-enabled", "Resource type": "AWS::SNS::Topic", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[SQS.1] Amazon SQS queues should be encrypted at rest", "AWS Config rule": "sqs-queue-encrypted", "Resource type": "AWS::SQS::Queue", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[StepFunctions.1] Step Functions state machines should have\n logging turned on", "AWS Config rule": "step-functions-state-machine-logging-enabled", "Resource type": "AWS::StepFunctions::StateMachine", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled", "AWS Config rule": "waf-classic-logging-enabled", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Periodic", "Severity": "Medium" }, { "find_element.text": "[WAF.2] AWS WAF Classic Regional rules should have at least one condition", "AWS Config rule": "waf-regional-rule-not-empty", "Resource type": "AWS::WAFRegional::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.3] AWS WAF Classic Regional rule groups should have at least one rule", "AWS Config rule": "waf-regional-rulegroup-not-empty", "Resource type": "AWS::WAFRegional::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-regional-webacl-not-empty", "Resource type": "AWS::WAFRegional::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.6] AWS WAF Classic global rules should have at least one condition", "AWS Config rule": "waf-global-rule-not-empty", "Resource type": "AWS::WAF::Rule", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.7] AWS WAF Classic global rule groups should have at least one rule", "AWS Config rule": "waf-global-rulegroup-not-empty", "Resource type": "AWS::WAF::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group", "AWS Config rule": "waf-global-webacl-not-empty", "Resource type": "AWS::WAF::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.10] AWS WAF web ACLs should have at least one rule or rule group", "AWS Config rule": "wafv2-webacl-not-empty", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Change triggered", "Severity": "Medium" }, { "find_element.text": "[WAF.11] AWS WAF web ACL logging should be enabled", "AWS Config rule": "wafv2-logging-enabled", "Resource type": "AWS::WAFv2::WebACL", "Schedule type": "Periodic", "Severity": "Low" }, { "find_element.text": "[WAF.12] AWS WAF rules should have CloudWatch metrics enabled", "AWS Config rule": "wafv2-rulegroup-logging-enabled", "Resource type": "AWS::WAFv2::RuleGroup", "Schedule type": "Change triggered", "Severity": "Medium" } ]
I filtered the retrieved JSON file with the jq command to extract the AWS Config rules according to their respective severity.
First, let’s extract the AWS Config rules with Critical severity.
Not Found
% cat result_20240204153052.json| jq ‘.[] | select(.Severity == “Critical”) | {title: .”find_element.text” ,config_rule: .”AWS Config rule”}’ { “title”: “[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible”, “config_rule”: “Not Found” } { “title”: “[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials”, “config_rule”: “codebuild-project-source-repo-url-check” } { “title”: “[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials”, “config_rule”: “codebuild-project-envvar-awscred-check” } { “title”: “[DMS.1] Database Migration Service replication instances should not be public”, “config_rule”: “dms-replication-not-public” } { “title”: “[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public”, “config_rule”: “docdb-cluster-snapshot-public-prohibited” } { “title”: “[EC2.1] Amazon EBS snapshots should not be publicly restorable”, “config_rule”: “ebs-snapshot-public-restorable-check” } { “title”: “[EC2.19] Security groups should not allow unrestrictedaccess to ports with high risk”, “config_rule”: “vpc-sg-restricted-common-ports” } { “title”: “[SSM.4] SSM documents should not be public”, “config_rule”: “ssm-document-not-public” } { “title”: “[EMR.2] Amazon EMR block public access setting should be enabled”, “config_rule”: “emr-block-public-access” } { “title”: “[ES.2] Elasticsearch domains should not be publicly accessible”, “config_rule”: “elasticsearch-in-vpc-only” } { “title”: “[IAM.4] IAM root user access key should not exist”, “config_rule”: “iam-root-access-key-check” } { “title”: “[IAM.6] Hardware MFA should be enabled for the root user”, “config_rule”: “root-account-hardware-mfa-enabled” } { “title”: “[IAM.9] MFA should be enabled for the root user”, “config_rule”: “root-account-mfa-enabled” } { “title”: “[KMS.3] AWS KMS keys should not be deleted unintentionally”, “config_rule”: “kms-cmk-not-scheduled-for-deletion-2” } { “title”: “[Lambda.1] Lambda function policies should prohibit public access”, “config_rule”: “lambda-function-public-access-prohibited” } { “title”: “[Neptune.3] Neptune DB cluster snapshots should not bepublic”, “config_rule”: “neptune-cluster-snapshot-public-prohibited” } { “title”: “[Opensearch.2] OpenSearch domains should not be publicly accessible”, “config_rule”: “opensearch-in-vpc-only” } { “title”: “[RDS.1] RDS snapshot should be private”, “config_rule”: “rds-snapshots-public-prohibited” } { “title”: “[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration”, “config_rule”: “rds-instance-public-access-check” } { “title”: “[Redshift.1] Amazon Redshift clusters should prohibit public access”, “config_rule”: “redshift-cluster-public-access-check” } { “title”: “[S3.2] S3 buckets should prohibit public read access”, “config_rule”: “s3-bucket-public-read-prohibited” } { “title”: “[S3.3] S3 buckets should prohibit public write access”, “config_rule”: “s3-bucket-public-write-prohibited” } { “title”: “[S3.19] S3 access points should have block public access settings enabled”, “config_rule”: “s3-access-point-public-access-blocks” } - Next, let's extract the AWS Config rules with High severity. - AWS Config rules that are considered to have high security risks, but lower than Critical, were extracted. - The items marked as `Not Found` are not extracted because they are listed as `AWS Configrule` instead of `AWS Config rule` in the document. <pre class="line-numbers" data-line="52,56,60,64,68,72"><code class="language-bash"> % cat result_20240204153052.json| jq '.[] | select(.Severity == "High") | {title: ."find_element.text" ,config_rule: ."AWS Config rule"}' { "title": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "config_rule": "account-part-of-organizations" } { "title": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "config_rule": "acm-certificate-rsa-check" } { "title": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "config_rule": "appsync-authorization-check" } { "title": "[CloudFront.1] CloudFront distributions should have a default root object configured", "config_rule": "cloudfront-default-root-object-configured" } { "title": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "config_rule": "cloudfront-s3-origin-non-existent-bucket" } { "title": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "config_rule": "multi-region-cloudtrail-enabled" } { "title": "[CloudTrail.3] CloudTrail should be enabled", "config_rule": "cloudtrail-enabled" } { "title": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "config_rule": "cloudwatch-alarm-action-check" } { "title": "[CloudWatch.17] CloudWatch alarm actions should be activated", "config_rule": "cloudwatch-alarm-action-enabled-check" } { "title": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "config_rule": "codebuild-project-environment-privileged-check" } { "title": "[ECR.1] ECR private repositories should have image scanning configured", "config_rule": "ecr-private-image-scanning-enabled" } { "title": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "config_rule": "ecs-task-definition-user-for-host-mode-check" } { "title": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "config_rule": "Not Found" } { "title": "[ECS.3] ECS task definitions should not share the host's process namespace", "config_rule": "Not Found" } { "title": "[ECS.4] ECS containers should run as non-privileged", "config_rule": "Not Found" } { "title": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "config_rule": "Not Found" } { "title": "[ECS.8] Secrets should not be passed as container environment variables", "config_rule": "Not Found" } { "title": "[ECS.9] ECS task definitions should have a logging configuration", "config_rule": "Not Found" } { "title": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "config_rule": "vpc-default-security-group-closed" } { "title": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "ec2-imdsv2-check" } { "title": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "config_rule": "ec2-instance-no-public-ip" } { "title": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "config_rule": "restricted-ssh" } { "title": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "config_rule": "restricted-common-ports" } { "title": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "config_rule": "vpc-sg-open-only-to-authorized-ports" } { "title": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "config_rule": "ec2-transit-gateway-auto-vpc-attach-disabled" } { "title": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "config_rule": "ec2-launch-template-public-ip-disabled" } { "title": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "autoscaling-launchconfig-requires-imdsv2" } { "title": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "config_rule": "autoscaling-launch-config-hop-limit" } { "title": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "config_rule": "autoscaling-launch-config-public-ip-disabled" } { "title": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "config_rule": "ec2-managedinstance-patch-compliance-status-check" } { "title": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "config_rule": "eks-endpoint-no-public-access" } { "title": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "config_rule": "eks-cluster-supported-version" } { "title": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "config_rule": "elasticache-redis-cluster-automatic-backup-check" } { "title": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "config_rule": "elasticache-auto-minor-version-upgrade-check" } { "title": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "config_rule": "elasticache-subnet-group-check" } { "title": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "config_rule": "elastic-beanstalk-managed-updates-enabled" } { "title": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "config_rule": "elastic-beanstalk-logs-to-cloudwatch" } { "title": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "config_rule": "emr-master-no-public-ip" } { "title": "[GuardDuty.1] GuardDuty should be enabled", "config_rule": "guardduty-enabled-centralized" } { "title": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "config_rule": "iam-policy-no-statements-with-admin-access" } { "title": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "config_rule": "opensearch-access-control-enabled" } { "title": "[RDS.13] RDS automatic minor version upgrades should be enabled", "config_rule": "rds-automatic-minor-version-upgrade-enabled" } { "title": "[RDS.18] RDS instances should be deployed in a VPC", "config_rule": "rds-deployed-in-vpc" } { "title": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "config_rule": "s3-bucket-blacklisted-actions-prohibited" } { "title": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "config_rule": "s3-bucket-level-public-access-prohibited" } { "title": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "config_rule": "sagemaker-notebook-no-direct-internet-access" } { "title": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "config_rule": "sagemaker-notebook-instance-inside-vpc" } { "title": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "config_rule": "sagemaker-notebook-instance-root-access-check" }
% cat result_20240204153052.json| jq ‘.[] | select(.Severity == “Critical”) | {title: .”find_element.text” ,config_rule: .”AWS Config rule”}’ { “title”: “[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible”, “config_rule”: “Not Found” } { “title”: “[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials”, “config_rule”: “codebuild-project-source-repo-url-check” } { “title”: “[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials”, “config_rule”: “codebuild-project-envvar-awscred-check” } { “title”: “[DMS.1] Database Migration Service replication instances should not be public”, “config_rule”: “dms-replication-not-public” } { “title”: “[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public”, “config_rule”: “docdb-cluster-snapshot-public-prohibited” } { “title”: “[EC2.1] Amazon EBS snapshots should not be publicly restorable”, “config_rule”: “ebs-snapshot-public-restorable-check” } { “title”: “[EC2.19] Security groups should not allow unrestrictedaccess to ports with high risk”, “config_rule”: “vpc-sg-restricted-common-ports” } { “title”: “[SSM.4] SSM documents should not be public”, “config_rule”: “ssm-document-not-public” } { “title”: “[EMR.2] Amazon EMR block public access setting should be enabled”, “config_rule”: “emr-block-public-access” } { “title”: “[ES.2] Elasticsearch domains should not be publicly accessible”, “config_rule”: “elasticsearch-in-vpc-only” } { “title”: “[IAM.4] IAM root user access key should not exist”, “config_rule”: “iam-root-access-key-check” } { “title”: “[IAM.6] Hardware MFA should be enabled for the root user”, “config_rule”: “root-account-hardware-mfa-enabled” } { “title”: “[IAM.9] MFA should be enabled for the root user”, “config_rule”: “root-account-mfa-enabled” } { “title”: “[KMS.3] AWS KMS keys should not be deleted unintentionally”, “config_rule”: “kms-cmk-not-scheduled-for-deletion-2” } { “title”: “[Lambda.1] Lambda function policies should prohibit public access”, “config_rule”: “lambda-function-public-access-prohibited” } { “title”: “[Neptune.3] Neptune DB cluster snapshots should not bepublic”, “config_rule”: “neptune-cluster-snapshot-public-prohibited” } { “title”: “[Opensearch.2] OpenSearch domains should not be publicly accessible”, “config_rule”: “opensearch-in-vpc-only” } { “title”: “[RDS.1] RDS snapshot should be private”, “config_rule”: “rds-snapshots-public-prohibited” } { “title”: “[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration”, “config_rule”: “rds-instance-public-access-check” } { “title”: “[Redshift.1] Amazon Redshift clusters should prohibit public access”, “config_rule”: “redshift-cluster-public-access-check” } { “title”: “[S3.2] S3 buckets should prohibit public read access”, “config_rule”: “s3-bucket-public-read-prohibited” } { “title”: “[S3.3] S3 buckets should prohibit public write access”, “config_rule”: “s3-bucket-public-write-prohibited” } { “title”: “[S3.19] S3 access points should have block public access settings enabled”, “config_rule”: “s3-access-point-public-access-blocks” }
- Next, let's extract the AWS Config rules with High severity. - AWS Config rules that are considered to have high security risks, but lower than Critical, were extracted. - The items marked as `Not Found` are not extracted because they are listed as `AWS Configrule` instead of `AWS Config rule` in the document. <pre class="line-numbers" data-line="52,56,60,64,68,72"><code class="language-bash"> % cat result_20240204153052.json| jq '.[] | select(.Severity == "High") | {title: ."find_element.text" ,config_rule: ."AWS Config rule"}' { "title": "[Account.2] AWS accounts should be part of an AWS Organizations organization", "config_rule": "account-part-of-organizations" } { "title": "[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits", "config_rule": "acm-certificate-rsa-check" } { "title": "[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys", "config_rule": "appsync-authorization-check" } { "title": "[CloudFront.1] CloudFront distributions should have a default root object configured", "config_rule": "cloudfront-default-root-object-configured" } { "title": "[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins", "config_rule": "cloudfront-s3-origin-non-existent-bucket" } { "title": "[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "config_rule": "multi-region-cloudtrail-enabled" } { "title": "[CloudTrail.3] CloudTrail should be enabled", "config_rule": "cloudtrail-enabled" } { "title": "[CloudWatch.15] CloudWatch alarms should have specified actions configured", "config_rule": "cloudwatch-alarm-action-check" } { "title": "[CloudWatch.17] CloudWatch alarm actions should be activated", "config_rule": "cloudwatch-alarm-action-enabled-check" } { "title": "[CodeBuild.5] CodeBuild project environments should not have privileged mode enabled", "config_rule": "codebuild-project-environment-privileged-check" } { "title": "[ECR.1] ECR private repositories should have image scanning configured", "config_rule": "ecr-private-image-scanning-enabled" } { "title": "[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.", "config_rule": "ecs-task-definition-user-for-host-mode-check" } { "title": "[ECS.2] ECS services should not have public IP addresses assigned to them automatically", "config_rule": "Not Found" } { "title": "[ECS.3] ECS task definitions should not share the host's process namespace", "config_rule": "Not Found" } { "title": "[ECS.4] ECS containers should run as non-privileged", "config_rule": "Not Found" } { "title": "[ECS.5] ECS containers should be limited to read-only access to root filesystems", "config_rule": "Not Found" } { "title": "[ECS.8] Secrets should not be passed as container environment variables", "config_rule": "Not Found" } { "title": "[ECS.9] ECS task definitions should have a logging configuration", "config_rule": "Not Found" } { "title": "[EC2.2] VPC default security groups should not allow inbound or outbound traffic", "config_rule": "vpc-default-security-group-closed" } { "title": "[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "ec2-imdsv2-check" } { "title": "[EC2.9] Amazon EC2 instances should not have a public IPv4 address", "config_rule": "ec2-instance-no-public-ip" } { "title": "[EC2.13] Security groups should not allow ingress from\n 0.0.0.0/0 or ::/0 to port 22", "config_rule": "restricted-ssh" } { "title": "[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389", "config_rule": "restricted-common-ports" } { "title": "[EC2.18] Security groups should only allow unrestricted\n incoming traffic for authorized ports", "config_rule": "vpc-sg-open-only-to-authorized-ports" } { "title": "[EC2.23] Amazon EC2 Transit Gateways should not automatically\n accept VPC attachment requests", "config_rule": "ec2-transit-gateway-auto-vpc-attach-disabled" } { "title": "[EC2.25] Amazon EC2 launch templates should not assign public\n IPs to network interfaces", "config_rule": "ec2-launch-template-public-ip-disabled" } { "title": "[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)", "config_rule": "autoscaling-launchconfig-requires-imdsv2" } { "title": "[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1", "config_rule": "autoscaling-launch-config-hop-limit" } { "title": "[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", "config_rule": "autoscaling-launch-config-public-ip-disabled" } { "title": "[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation", "config_rule": "ec2-managedinstance-patch-compliance-status-check" } { "title": "[EKS.1] EKS cluster endpoints should not be publicly accessible", "config_rule": "eks-endpoint-no-public-access" } { "title": "[EKS.2] EKS clusters should run on a supported Kubernetes version", "config_rule": "eks-cluster-supported-version" } { "title": "[ElastiCache.1] ElastiCache Redis clusters should have automatic backup enabled", "config_rule": "elasticache-redis-cluster-automatic-backup-check" } { "title": "[ElastiCache.2] ElastiCache for Redis cache clusters should have auto minor version upgrade enabled", "config_rule": "elasticache-auto-minor-version-upgrade-check" } { "title": "[ElastiCache.7] ElastiCache clusters should not use the default subnet group", "config_rule": "elasticache-subnet-group-check" } { "title": "[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled", "config_rule": "elastic-beanstalk-managed-updates-enabled" } { "title": "[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch", "config_rule": "elastic-beanstalk-logs-to-cloudwatch" } { "title": "[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses", "config_rule": "emr-master-no-public-ip" } { "title": "[GuardDuty.1] GuardDuty should be enabled", "config_rule": "guardduty-enabled-centralized" } { "title": "[IAM.1] IAM policies should not allow full \"*\" administrative privileges", "config_rule": "iam-policy-no-statements-with-admin-access" } { "title": "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled", "config_rule": "opensearch-access-control-enabled" } { "title": "[RDS.13] RDS automatic minor version upgrades should be enabled", "config_rule": "rds-automatic-minor-version-upgrade-enabled" } { "title": "[RDS.18] RDS instances should be deployed in a VPC", "config_rule": "rds-deployed-in-vpc" } { "title": "[S3.6] S3 permissions granted to other AWS accounts in bucket policies should be restricted", "config_rule": "s3-bucket-blacklisted-actions-prohibited" } { "title": "[S3.8] S3 Block Public Access setting should be enabled at the bucket-level", "config_rule": "s3-bucket-level-public-access-prohibited" } { "title": "[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access", "config_rule": "sagemaker-notebook-no-direct-internet-access" } { "title": "[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC", "config_rule": "sagemaker-notebook-instance-inside-vpc" } { "title": "[SageMaker.3] Users should not have root access to SageMaker notebook instances", "config_rule": "sagemaker-notebook-instance-root-access-check" }