diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml new file mode 100644 index 0000000..79f940b --- /dev/null +++ b/.github/workflows/pull-request.yaml @@ -0,0 +1,96 @@ +name: On Pull Request + +on: + pull_request: + types: [opened, synchronize] + +jobs: + get-changes: + name: Get Changed Files + runs-on: ubuntu-latest + outputs: + any_changed: ${{ steps.changed-files.outputs.any_changed }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 + with: + files: "*.tf" + + - name: List all changed files + run: echo '${{ steps.changed-files.outputs.all_changed_files }}' + + tflint: + name: Run TFLint + runs-on: ubuntu-latest + needs: + - get-changes + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - uses: actions/cache@v4 + name: Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v0.50.3 + + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + + - name: Run TFLint + run: tflint --disable-rule=terraform_required_version + + terraform-fmt: + name: Terraform Format + runs-on: ubuntu-latest + needs: + - get-changes + permissions: + contents: write + pull-requests: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.6.0 + + - name: Terraform Format + run: terraform fmt --recursive . + + - uses: dorny/paths-filter@v3 + id: filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + base: HEAD + filters: | + terraform: + - '*.tf' + + - name: Commit changes + if: steps.filter.outputs.terraform == 'true' + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + git add *.tf + git commit -m "Auto-format Terraform files" + git push origin HEAD:${{ github.event.pull_request.head.ref }} \ No newline at end of file diff --git a/.github/workflows/update-rules.yaml b/.github/workflows/update-rules.yaml new file mode 100644 index 0000000..7ec1c5c --- /dev/null +++ b/.github/workflows/update-rules.yaml @@ -0,0 +1,79 @@ +name: Update Config Rules + +on: + schedule: + - cron: '0 0 1,15 * *' + workflow_dispatch: + +jobs: + update-rules: + name: Update Rules + runs-on: ubuntu-latest + outputs: + any_changed: ${{ steps.changed-files.outputs.any_changed }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Update rules + id: update-rules + run: | + cd scripts + pip install -r requirements.txt + python index.py update-config-rules + python index.py update-rule-packs + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 + with: + files: | + "*.tf" + "files/*" + + - name: List all changed files + run: echo '${{ steps.changed-files.outputs.all_changed_files }}' + + - uses: actions/cache@v4 + name: Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + with: + tflint_version: v0.50.3 + + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + + - name: Run TFLint + run: tflint --disable-rule=terraform_required_version + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.6.0 + + - name: Terraform Format + run: terraform fmt --recursive . + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + base: main + branch: auto-update-aws-config-rules + add-paths: | + managed_rules_*.tf + files/* + commit-message: Automatic updates to AWS managed Config Rules + delete-branch: true + title: '[Auto] Update AWS Config Rules' + body: | + Update the list of AWS managed Config Rules using the [latest documentation](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). + assignees: bensonce + reviewers: bensonce,duraikkannuv2 diff --git a/etc/severity_overrides.yaml b/etc/severity_overrides.yaml new file mode 100644 index 0000000..800b15a --- /dev/null +++ b/etc/severity_overrides.yaml @@ -0,0 +1,43 @@ +overrides: + desired-instance-tenancy: + severity: Low + desired-instance-type: + severity: Low + cloudformation-stack-drift-detection-check: + severity: Low + cloudtrail-s3-bucket-public-access-prohibited: + severity: High + codepipeline-deployment-count-check: + severity: Low + codepipeline-region-fanout-check: + severity: Low + ebs-optimized-instance: + severity: Low + ec2-instance-detailed-monitoring-enabled: + severity: Low + ec2-instance-profile-attached: + severity: Low + ec2-no-amazon-key-pair: + severity: Low + ec2-token-hop-limit-check: + severity: Low + ec2-volume-inuse-check: + severity: Low + guardduty-eks-protection-runtime-enabled: + severity: Low + internet-gateway-authorized-vpc-only: + severity: High + lambda-dlq-check: + severity: Low + s3-bucket-replication-enabled: + severity: Low + s3-resources-protected-by-backup-plan: + severity: High + storagegateway-last-backup-recovery-point-created: + severity: High + virtualmachine-last-backup-recovery-point-created: + severity: High + virtualmachine-resources-protected-by-backup-plan: + severity: High + vpc-peering-dns-resolution-check: + severity: High \ No newline at end of file diff --git a/files/pack-rules-list.txt b/files/pack-rules-list.txt index 8530a57..b64bc80 100644 --- a/files/pack-rules-list.txt +++ b/files/pack-rules-list.txt @@ -102,4 +102,4 @@ Security-Best-Practices-for-Network-Firewall Security-Best-Practices-for-RDS Security-Best-Practices-for-Redshift Security-Best-Practices-for-SageMaker -Security-Best-Practices-for-Secrets-Manager +Security-Best-Practices-for-Secrets-Manager \ No newline at end of file diff --git a/files/pack-rules.yaml b/files/pack-rules.yaml index 4cc3839..d5df129 100644 --- a/files/pack-rules.yaml +++ b/files/pack-rules.yaml @@ -1,9 +1,8 @@ ---- -generated_on: '2023-04-24T16:30:22Z' +generated_on: '2024-06-05T16:36:58Z' packs: AWS-Control-Tower-Detective-Guardrails: - autoscaling-launch-config-public-ip-disabled - - cloud-trail-enabled + - cloudtrail-enabled - dms-replication-not-public - ebs-optimized-instance - ebs-snapshot-public-restorable-check @@ -14,7 +13,6 @@ packs: - emr-master-no-public-ip - encrypted-volumes - iam-user-mfa-enabled - - incoming-ssh-disabled - lambda-function-public-access-prohibited - mfa-enabled-for-iam-console-access - no-unrestricted-route-to-igw @@ -22,7 +20,8 @@ packs: - rds-snapshots-public-prohibited - rds-storage-encrypted - redshift-cluster-public-access-check - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -44,15 +43,14 @@ packs: - api-gw-ssl-enabled - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cmk-backing-key-rotation-enabled @@ -70,9 +68,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -109,15 +108,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-automatic-minor-version-upgrade-enabled - rds-enhanced-monitoring-enabled @@ -136,7 +133,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -174,12 +172,11 @@ packs: - api-gw-ssl-enabled - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -197,9 +194,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -235,15 +233,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-enhanced-monitoring-enabled - rds-in-backup-plan @@ -261,7 +257,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -302,12 +299,11 @@ packs: - api-gw-ssl-enabled - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -323,9 +319,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -360,15 +357,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-enhanced-monitoring-enabled - rds-instance-public-access-check @@ -383,7 +378,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -420,14 +416,13 @@ packs: - api-gw-ssl-enabled - aurora-resources-protected-by-backup-plan - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -442,9 +437,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -477,12 +473,10 @@ packs: - iam-user-group-membership-check - iam-user-mfa-enabled - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-automatic-minor-version-upgrade-enabled - rds-cluster-deletion-protection-enabled @@ -502,7 +496,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -536,15 +531,14 @@ packs: - api-gw-execution-logging-enabled - aurora-resources-protected-by-backup-plan - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -560,8 +554,9 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -595,11 +590,9 @@ packs: - iam-user-group-membership-check - iam-user-mfa-enabled - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - lambda-function-public-access-prohibited - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-automatic-minor-version-upgrade-enabled - rds-cluster-deletion-protection-enabled @@ -621,7 +614,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -691,7 +685,7 @@ packs: - api-gw-ssl-enabled - api-gw-xray-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled Operational-Best-Practices-for-APRA-CPG-234: - access-keys-rotated - account-part-of-organizations @@ -704,11 +698,10 @@ packs: - api-gw-ssl-enabled - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -727,9 +720,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecs-task-definition-user-for-host-mode-check @@ -763,8 +757,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check @@ -772,7 +764,7 @@ packs: - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-automatic-minor-version-upgrade-enabled - rds-enhanced-monitoring-enabled @@ -791,7 +783,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -861,7 +854,7 @@ packs: - beanstalk-enhanced-health-reporting-enabled - clb-multiple-az - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - db-instance-backup-enabled @@ -874,6 +867,7 @@ packs: - ebs-optimized-instance - ec2-ebs-encryption-by-default - ec2-instance-detailed-monitoring-enabled + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -890,11 +884,10 @@ packs: - encrypted-volumes - fsx-resources-protected-by-backup-plan - guardduty-enabled-centralized - - instances-in-vpc - lambda-concurrency-check - lambda-dlq-check - lambda-vpc-multi-az-check - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-data-node-fault-tolerance - opensearch-logs-to-cloudwatch - rds-automatic-minor-version-upgrade-enabled @@ -948,10 +941,11 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-multiple-eni-check - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni-periodic @@ -989,13 +983,11 @@ packs: - iam-user-group-membership-check - iam-user-mfa-enabled - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-audit-logging-enabled - opensearch-encrypted-at-rest @@ -1015,7 +1007,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -1047,9 +1040,6 @@ packs: - waf-regional-rulegroup-not-empty - waf-regional-webacl-not-empty - wafv2-logging-enabled - Operational-Best-Practices-for-Amazon-DynamoDB-with-Remediation: - - dynamodb-autoscaling-enabled - - dynamodb-throughput-limit-check Operational-Best-Practices-for-Amazon-DynamoDB: - dax-encryption-enabled - dynamodb-autoscaling-enabled @@ -1058,31 +1048,34 @@ packs: - dynamodb-table-encrypted-kms - dynamodb-throughput-limit-check - service-vpc-endpoint-enabled - Operational-Best-Practices-for-Amazon-S3-with-Remediation: - - s3-bucket-logging-enabled - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - s3-bucket-replication-enabled - - s3-bucket-server-side-encryption-enabled - - s3-bucket-ssl-requests-only + Operational-Best-Practices-for-Amazon-DynamoDB-with-Remediation: + - dynamodb-autoscaling-enabled + - dynamodb-throughput-limit-check Operational-Best-Practices-for-Amazon-S3: - s3-account-level-public-access-blocks-periodic - s3-bucket-acl-prohibited + - s3-bucket-blacklisted-actions-prohibited - s3-bucket-default-lock-enabled - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled - s3-bucket-public-read-prohibited - s3-bucket-public-write-prohibited - s3-bucket-replication-enabled - - s3-bucket-server-side-encryption-enabled - s3-bucket-ssl-requests-only - s3-bucket-versioning-enabled - s3-default-encryption-kms - s3-event-notifications-enabled - s3-version-lifecycle-policy-check + Operational-Best-Practices-for-Amazon-S3-with-Remediation: + - s3-bucket-logging-enabled + - s3-bucket-public-read-prohibited + - s3-bucket-public-write-prohibited + - s3-bucket-replication-enabled + - s3-bucket-server-side-encryption-enabled + - s3-bucket-ssl-requests-only Operational-Best-Practices-for-Asset-Management: - account-part-of-organizations - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -1123,91 +1116,92 @@ packs: - access-keys-rotated - account-part-of-organizations - acm-certificate-expiration-check - - alb-http-drop-invalid-header-enabled - alb-http-to-https-redirection-check + - alb-waf-enabled + - api-gw-associated-with-waf - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - api-gw-ssl-enabled - api-gw-xray-enabled + - api-gwv2-authorization-type-configured + - aurora-resources-protected-by-backup-plan - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check + - autoscaling-multiple-az + - backup-plan-min-frequency-and-min-retention-check + - backup-recovery-point-encrypted - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - - cloud-trail-encryption-enabled + - cloudformation-stack-notification-check - cloudtrail-s3-dataevents-enabled + - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check - - cloudwatch-alarm-resource-check - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled - cw-loggroup-retention-period-check - db-instance-backup-enabled - dms-replication-not-public - dynamodb-autoscaling-enabled - - dynamodb-in-backup-plan - dynamodb-pitr-enabled + - dynamodb-resources-protected-by-backup-plan - dynamodb-table-encrypted-kms - dynamodb-throughput-limit-check - - ebs-in-backup-plan - ebs-optimized-instance + - ebs-resources-protected-by-backup-plan - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check + - ec2-resources-protected-by-backup-plan - ec2-stopped-instance - efs-encrypted-check - - efs-in-backup-plan + - efs-resources-protected-by-backup-plan + - eks-secrets-encrypted - elastic-beanstalk-managed-updates-enabled - elasticache-redis-cluster-automatic-backup-check - - elasticsearch-encrypted-at-rest - - elasticsearch-in-vpc-only - - elasticsearch-logs-to-cloudwatch - - elasticsearch-node-to-node-encryption-check - - elb-acm-certificate-required - - elb-cross-zone-load-balancing-enabled - elb-deletion-protection-enabled - elb-logging-enabled - - elb-tls-https-listeners-only - elbv2-acm-certificate-required + - elbv2-multiple-az - emr-kerberos-enabled - emr-master-no-public-ip - encrypted-volumes - guardduty-enabled-centralized - guardduty-non-archived-findings - iam-customer-policy-blocked-kms-actions - - iam-group-has-users-check - - iam-inline-policy-blocked-kms-actions - iam-no-inline-policy-check - iam-password-policy - iam-policy-no-statements-with-admin-access - - iam-policy-no-statements-with-full-access - iam-root-access-key-check - iam-user-group-membership-check - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - lambda-vpc-multi-az-check + - macie-status-check + - nlb-cross-zone-load-balancing-enabled - no-unrestricted-route-to-igw + - opensearch-encrypted-at-rest + - opensearch-https-required + - opensearch-in-vpc-only + - opensearch-logs-to-cloudwatch + - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check - rds-logging-enabled - rds-multi-az-support + - rds-resources-protected-by-backup-plan - rds-snapshot-encrypted - rds-snapshots-public-prohibited - rds-storage-encrypted @@ -1218,19 +1212,17 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic - - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled - s3-bucket-public-read-prohibited - s3-bucket-public-write-prohibited - - s3-bucket-replication-enabled - s3-bucket-server-side-encryption-enabled - s3-bucket-ssl-requests-only - s3-bucket-versioning-enabled - s3-default-encryption-kms + - s3-resources-protected-by-backup-plan - sagemaker-endpoint-configuration-kms-key-configured - sagemaker-notebook-instance-kms-key-configured - sagemaker-notebook-no-direct-internet-access @@ -1259,9 +1251,9 @@ packs: - backup-recovery-point-minimum-retention-check - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cmk-backing-key-rotation-enabled @@ -1278,8 +1270,9 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -1320,15 +1313,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-encrypted-at-rest - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch @@ -1350,7 +1341,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic - s3-bucket-level-public-access-prohibited @@ -1383,11 +1375,10 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled @@ -1434,13 +1425,12 @@ packs: - iam-policy-no-statements-with-full-access - iam-root-access-key-check - iam-user-mfa-enabled - - incoming-ssh-disabled - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -1460,7 +1450,8 @@ packs: - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -1497,11 +1488,10 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled @@ -1546,13 +1536,12 @@ packs: - iam-policy-no-statements-with-full-access - iam-root-access-key-check - iam-user-mfa-enabled - - incoming-ssh-disabled - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -1572,7 +1561,8 @@ packs: - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -1609,11 +1599,10 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled @@ -1659,13 +1648,12 @@ packs: - iam-policy-no-statements-with-full-access - iam-root-access-key-check - iam-user-mfa-enabled - - incoming-ssh-disabled - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -1685,7 +1673,8 @@ packs: - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -1714,9 +1703,31 @@ packs: - vpc-sg-open-only-to-authorized-ports - vpc-vpn-2-tunnels-up - wafv2-logging-enabled + Operational-Best-Practices-for-CIS: + - access-keys-rotated + - cloud-trail-cloud-watch-logs-enabled + - cloud-trail-encryption-enabled + - cloud-trail-log-file-validation-enabled + - cmk-backing-key-rotation-enabled + - iam-password-policy + - iam-policy-in-use + - iam-policy-no-statements-with-admin-access + - iam-root-access-key-check + - iam-user-no-policies-check + - iam-user-unused-credentials-check + - mfa-enabled-for-iam-console-access + - multi-region-cloudtrail-enabled + - restricted-common-ports + - restricted-ssh + - root-account-hardware-mfa-enabled + - root-account-mfa-enabled + - s3-bucket-logging-enabled + - s3-bucket-public-read-prohibited + - s3-bucket-public-write-prohibited + - vpc-default-security-group-closed + - vpc-flow-logs-enabled Operational-Best-Practices-for-CIS-AWS-FB-v1.3-Level1: - access-keys-rotated - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - ec2-ebs-encryption-by-default - encrypted-volumes @@ -1728,8 +1739,8 @@ packs: - iam-user-no-policies-check - iam-user-unused-credentials-check - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled - - restricted-incoming-traffic + - multi-region-cloudtrail-enabled + - restricted-common-ports - root-account-mfa-enabled - s3-account-level-public-access-blocks - s3-bucket-logging-enabled @@ -1739,7 +1750,6 @@ packs: - s3-bucket-server-side-encryption-enabled Operational-Best-Practices-for-CIS-AWS-FB-v1.3-Level2: - access-keys-rotated - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled @@ -1755,8 +1765,8 @@ packs: - iam-user-no-policies-check - iam-user-unused-credentials-check - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled - - restricted-incoming-traffic + - multi-region-cloudtrail-enabled + - restricted-common-ports - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks @@ -1770,7 +1780,6 @@ packs: - vpc-flow-logs-enabled Operational-Best-Practices-for-CIS-AWS-v1.4-Level1: - access-keys-rotated - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - ec2-ebs-encryption-by-default - encrypted-volumes @@ -1782,12 +1791,12 @@ packs: - iam-user-group-membership-check - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - rds-snapshot-encrypted - rds-storage-encrypted - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic - s3-bucket-level-public-access-prohibited @@ -1798,7 +1807,6 @@ packs: Operational-Best-Practices-for-CIS-AWS-v1.4-Level2: - access-keys-rotated - account-part-of-organizations - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled @@ -1815,12 +1823,12 @@ packs: - iam-user-group-membership-check - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - rds-snapshot-encrypted - rds-storage-encrypted - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -1840,10 +1848,9 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-recovery-point-encrypted - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - codebuild-project-logging-enabled - cw-loggroup-retention-period-check @@ -1856,9 +1863,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni @@ -1892,11 +1900,10 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - instances-in-vpc - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-https-required - opensearch-in-vpc-only - rds-instance-public-access-check @@ -1935,11 +1942,10 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-recovery-point-encrypted - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - codebuild-project-artifact-encryption - codebuild-project-environment-privileged-check @@ -1958,9 +1964,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni @@ -2003,12 +2010,10 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-https-required @@ -2028,7 +2033,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2066,11 +2072,10 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-recovery-point-encrypted - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - codebuild-project-artifact-encryption - codebuild-project-environment-privileged-check @@ -2089,9 +2094,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni @@ -2134,12 +2140,10 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-https-required @@ -2159,7 +2163,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2195,9 +2200,9 @@ packs: - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted @@ -2208,8 +2213,9 @@ packs: - dynamodb-pitr-enabled - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni @@ -2234,14 +2240,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - rds-instance-public-access-check - rds-snapshot-encrypted - rds-snapshots-public-prohibited @@ -2250,7 +2254,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks @@ -2273,29 +2278,6 @@ packs: - vpc-default-security-group-closed - vpc-flow-logs-enabled - vpc-sg-open-only-to-authorized-ports - Operational-Best-Practices-for-CIS: - - access-keys-rotated - - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-encryption-enabled - - cloud-trail-log-file-validation-enabled - - cmk-backing-key-rotation-enabled - - iam-password-policy - - iam-policy-in-use - - iam-policy-no-statements-with-admin-access - - iam-root-access-key-check - - iam-user-no-policies-check - - iam-user-unused-credentials-check - - incoming-ssh-disabled - - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled - - restricted-incoming-traffic - - root-account-hardware-mfa-enabled - - root-account-mfa-enabled - - s3-bucket-logging-enabled - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - vpc-default-security-group-closed - - vpc-flow-logs-enabled Operational-Best-Practices-for-CISA-Cyber-Essentials: - access-keys-rotated - acm-certificate-expiration-check @@ -2307,7 +2289,6 @@ packs: - api-gw-ssl-enabled - aurora-resources-protected-by-backup-plan - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled @@ -2331,8 +2312,9 @@ packs: - ebs-optimized-instance - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -2367,13 +2349,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-access-control-enabled - opensearch-audit-logging-enabled @@ -2398,7 +2378,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2438,7 +2419,6 @@ packs: - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-recovery-point-encrypted - cloud-trail-cloud-watch-logs-enabled - cloud-trail-encryption-enabled @@ -2454,9 +2434,10 @@ packs: - dynamodb-table-encrypted-kms - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecs-containers-nonprivileged @@ -2491,13 +2472,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kinesis-stream-encrypted - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-audit-logging-enabled - opensearch-encrypted-at-rest @@ -2516,7 +2495,8 @@ packs: - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2561,6 +2541,7 @@ packs: - ec2-imdsv2-check - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ecr-private-image-scanning-enabled - elasticsearch-in-vpc-only - elasticsearch-node-to-node-encryption-check @@ -2582,13 +2563,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check @@ -2597,7 +2576,8 @@ packs: - rds-snapshots-public-prohibited - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2628,12 +2608,11 @@ packs: - api-gw-execution-logging-enabled - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -2652,9 +2631,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -2691,15 +2671,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -2718,7 +2696,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2755,7 +2734,7 @@ packs: - api-gw-execution-logging-enabled - autoscaling-launch-config-public-ip-disabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - dms-replication-not-public @@ -2763,6 +2742,7 @@ packs: - ec2-imdsv2-check - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - elasticsearch-in-vpc-only - elasticsearch-node-to-node-encryption-check - elb-acm-certificate-required @@ -2783,13 +2763,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check @@ -2798,7 +2776,8 @@ packs: - rds-snapshots-public-prohibited - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2829,11 +2808,10 @@ packs: - api-gw-ssl-enabled - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -2846,9 +2824,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -2882,14 +2861,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -2906,7 +2883,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -2947,9 +2925,9 @@ packs: - autoscaling-launch-config-public-ip-disabled - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -2968,9 +2946,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -3007,15 +2986,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -3034,7 +3011,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -3077,9 +3055,9 @@ packs: - autoscaling-launch-config-public-ip-disabled - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -3098,9 +3076,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -3137,15 +3116,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -3164,7 +3141,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -3207,9 +3185,9 @@ packs: - autoscaling-launch-config-public-ip-disabled - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -3228,9 +3206,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -3267,15 +3246,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -3294,7 +3271,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -3339,21 +3317,21 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance - ec2-volume-inuse-check - eip-attached - encrypted-volumes - - incoming-ssh-disabled - - instances-in-vpc - lambda-concurrency-check - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc + - restricted-ssh - service-vpc-endpoint-enabled Operational-Best-Practices-for-Data-Resiliency: - aurora-resources-protected-by-backup-plan @@ -3469,10 +3447,12 @@ packs: Operational-Best-Practices-for-EC2: - cloudwatch-alarm-resource-check - ebs-optimized-instance + - ebs-resources-protected-by-backup-plan + - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-multiple-eni-check - ec2-instance-no-public-ip - ec2-instance-profile-attached @@ -3484,8 +3464,8 @@ packs: - ec2-token-hop-limit-check - ec2-volume-inuse-check - eip-attached - - incoming-ssh-disabled - - instances-in-vpc + - encrypted-volumes + - restricted-ssh - service-vpc-endpoint-enabled Operational-Best-Practices-for-ENISA-Cybersecurity-Guide: - alb-http-drop-invalid-header-enabled @@ -3497,15 +3477,14 @@ packs: - api-gw-ssl-enabled - aurora-resources-protected-by-backup-plan - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted - codebuild-project-artifact-encryption @@ -3518,7 +3497,7 @@ packs: - ebs-in-backup-plan - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check @@ -3544,7 +3523,6 @@ packs: - iam-policy-no-statements-with-admin-access - iam-policy-no-statements-with-full-access - iam-user-mfa-enabled - - incoming-ssh-disabled - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - lambda-function-public-access-prohibited @@ -3571,7 +3549,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -3643,9 +3622,9 @@ packs: - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -3665,9 +3644,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -3704,14 +3684,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kinesis-stream-encrypted - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-logs-to-cloudwatch @@ -3730,7 +3708,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -3774,7 +3753,7 @@ packs: - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - codebuild-project-envvar-awscred-check @@ -3789,9 +3768,10 @@ packs: - ebs-in-backup-plan - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -3830,14 +3810,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - lambda-concurrency-check - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -3858,7 +3836,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -3881,22 +3860,24 @@ packs: - vpc-sg-open-only-to-authorized-ports - vpc-vpn-2-tunnels-up - wafv2-logging-enabled - Operational-Best-Practices-for-FedRAMP-Low: + Operational-Best-Practices-for-FedRAMP: - access-keys-rotated - acm-certificate-expiration-check - alb-http-to-https-redirection-check - alb-waf-enabled - api-gw-associated-with-waf + - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled + - api-gw-ssl-enabled - aurora-resources-protected-by-backup-plan - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - backup-plan-min-frequency-and-min-retention-check - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted @@ -3914,11 +3895,13 @@ packs: - ebs-optimized-instance - ebs-resources-protected-by-backup-plan - ebs-snapshot-public-restorable-check + - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -3926,15 +3909,21 @@ packs: - ec2-volume-inuse-check - ecs-task-definition-memory-hard-limit - ecs-task-definition-user-for-host-mode-check + - efs-encrypted-check - efs-resources-protected-by-backup-plan - elastic-beanstalk-managed-updates-enabled - elasticache-redis-cluster-automatic-backup-check + - elasticsearch-encrypted-at-rest - elasticsearch-in-vpc-only + - elasticsearch-logs-to-cloudwatch + - elasticsearch-node-to-node-encryption-check - elb-cross-zone-load-balancing-enabled - elb-deletion-protection-enabled - elb-logging-enabled - elb-tls-https-listeners-only + - elbv2-acm-certificate-required - emr-master-no-public-ip + - encrypted-volumes - fsx-resources-protected-by-backup-plan - guardduty-enabled-centralized - guardduty-non-archived-findings @@ -3950,38 +3939,41 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - - opensearch-in-vpc-only + - opensearch-logs-to-cloudwatch - rds-enhanced-monitoring-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check - rds-logging-enabled - rds-multi-az-support - rds-resources-protected-by-backup-plan + - rds-snapshot-encrypted - rds-snapshots-public-prohibited + - rds-storage-encrypted - redshift-backup-enabled - redshift-cluster-configuration-check - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic + - s3-bucket-default-lock-enabled - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled - s3-bucket-public-read-prohibited - s3-bucket-public-write-prohibited - s3-bucket-replication-enabled + - s3-bucket-server-side-encryption-enabled - s3-bucket-ssl-requests-only - s3-bucket-versioning-enabled - s3-default-encryption-kms @@ -3996,26 +3988,23 @@ packs: - vpc-flow-logs-enabled - vpc-sg-open-only-to-authorized-ports - vpc-vpn-2-tunnels-up - - waf-regional-webacl-not-empty - wafv2-logging-enabled - Operational-Best-Practices-for-FedRAMP: + Operational-Best-Practices-for-FedRAMP-Low: - access-keys-rotated - acm-certificate-expiration-check - alb-http-to-https-redirection-check - alb-waf-enabled - api-gw-associated-with-waf - - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - - api-gw-ssl-enabled - aurora-resources-protected-by-backup-plan - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - backup-plan-min-frequency-and-min-retention-check - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted @@ -4033,12 +4022,12 @@ packs: - ebs-optimized-instance - ebs-resources-protected-by-backup-plan - ebs-snapshot-public-restorable-check - - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -4046,21 +4035,15 @@ packs: - ec2-volume-inuse-check - ecs-task-definition-memory-hard-limit - ecs-task-definition-user-for-host-mode-check - - efs-encrypted-check - efs-resources-protected-by-backup-plan - elastic-beanstalk-managed-updates-enabled - elasticache-redis-cluster-automatic-backup-check - - elasticsearch-encrypted-at-rest - elasticsearch-in-vpc-only - - elasticsearch-logs-to-cloudwatch - - elasticsearch-node-to-node-encryption-check - elb-cross-zone-load-balancing-enabled - elb-deletion-protection-enabled - elb-logging-enabled - elb-tls-https-listeners-only - - elbv2-acm-certificate-required - emr-master-no-public-ip - - encrypted-volumes - fsx-resources-protected-by-backup-plan - guardduty-enabled-centralized - guardduty-non-archived-findings @@ -4076,42 +4059,37 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - - opensearch-logs-to-cloudwatch + - opensearch-in-vpc-only - rds-enhanced-monitoring-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check - rds-logging-enabled - rds-multi-az-support - rds-resources-protected-by-backup-plan - - rds-snapshot-encrypted - rds-snapshots-public-prohibited - - rds-storage-encrypted - redshift-backup-enabled - redshift-cluster-configuration-check - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic - - s3-bucket-default-lock-enabled - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled - s3-bucket-public-read-prohibited - s3-bucket-public-write-prohibited - s3-bucket-replication-enabled - - s3-bucket-server-side-encryption-enabled - s3-bucket-ssl-requests-only - s3-bucket-versioning-enabled - s3-default-encryption-kms @@ -4126,6 +4104,7 @@ packs: - vpc-flow-logs-enabled - vpc-sg-open-only-to-authorized-ports - vpc-vpn-2-tunnels-up + - waf-regional-webacl-not-empty - wafv2-logging-enabled Operational-Best-Practices-for-Germany-C5: - access-keys-rotated @@ -4144,9 +4123,9 @@ packs: - beanstalk-enhanced-health-reporting-enabled - clb-multiple-az - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -4166,6 +4145,7 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-resources-protected-by-backup-plan - ecr-private-image-scanning-enabled - ecs-containers-nonprivileged @@ -4198,15 +4178,13 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - lambda-function-public-access-prohibited - lambda-inside-vpc - lambda-vpc-multi-az-check - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-access-control-enabled - opensearch-audit-logging-enabled - opensearch-data-node-fault-tolerance @@ -4229,7 +4207,8 @@ packs: - redshift-cluster-configuration-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -4268,6 +4247,7 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ecs-containers-readonly-access - efs-access-point-enforce-root-directory - efs-access-point-enforce-user-identity @@ -4286,7 +4266,6 @@ packs: - iam-user-group-membership-check - iam-user-no-policies-check - iam-user-unused-credentials-check - - instances-in-vpc - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - lambda-function-public-access-prohibited @@ -4326,8 +4305,8 @@ packs: - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-log-group-encrypted - codebuild-project-environment-privileged-check @@ -4340,7 +4319,7 @@ packs: - ebs-optimized-instance - ebs-resources-protected-by-backup-plan - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-profile-attached - ec2-managedinstance-association-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -4372,7 +4351,7 @@ packs: - iam-policy-no-statements-with-full-access - iam-root-access-key-check - lambda-vpc-multi-az-check - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-access-control-enabled - opensearch-audit-logging-enabled - opensearch-data-node-fault-tolerance @@ -4416,14 +4395,13 @@ packs: - aurora-resources-protected-by-backup-plan - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - codebuild-project-envvar-awscred-check @@ -4438,9 +4416,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -4476,14 +4455,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-https-required @@ -4505,7 +4482,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -4545,15 +4523,14 @@ packs: - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - aurora-resources-protected-by-backup-plan - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled @@ -4570,7 +4547,7 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached - ec2-managedinstance-association-compliance-status-check @@ -4679,9 +4656,9 @@ packs: - autoscaling-group-elb-healthcheck-required - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -4701,6 +4678,7 @@ packs: - ec2-instance-detailed-monitoring-enabled - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -4733,14 +4711,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-node-to-node-encryption-check @@ -4758,7 +4734,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic - s3-bucket-default-lock-enabled @@ -4800,9 +4777,9 @@ packs: Operational-Best-Practices-for-Logging: - api-gw-execution-logging-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -4811,7 +4788,7 @@ packs: - cw-loggroup-retention-period-check - elasticsearch-logs-to-cloudwatch - elb-logging-enabled - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-audit-logging-enabled - opensearch-logs-to-cloudwatch - rds-logging-enabled @@ -4829,9 +4806,10 @@ packs: - dms-replication-not-public - ebs-snapshot-public-restorable-check - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni-periodic @@ -4853,8 +4831,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - lambda-function-public-access-prohibited - lambda-inside-vpc @@ -4871,7 +4847,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -4903,9 +4880,9 @@ packs: - autoscaling-launch-config-public-ip-disabled - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -4924,9 +4901,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecs-task-definition-user-for-host-mode-check @@ -4960,13 +4938,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-data-node-fault-tolerance - opensearch-encrypted-at-rest @@ -4989,7 +4965,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -5023,21 +5000,21 @@ packs: Operational-Best-Practices-for-Management-Governance-Services: - account-part-of-organizations - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check - cloudwatch-alarm-action-enabled-check - cloudwatch-log-group-encrypted - cw-loggroup-retention-period-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - guardduty-enabled-centralized - guardduty-non-archived-findings - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - securityhub-enabled Operational-Best-Practices-for-Monitoring: - api-gw-xray-enabled @@ -5071,11 +5048,10 @@ packs: - api-gw-ssl-enabled - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted @@ -5092,9 +5068,10 @@ packs: - ebs-optimized-instance - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecs-task-definition-user-for-host-mode-check @@ -5129,8 +5106,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check @@ -5138,7 +5113,7 @@ packs: - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-audit-logging-enabled - opensearch-encrypted-at-rest @@ -5162,7 +5137,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -5196,7 +5172,6 @@ packs: - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - autoscaling-group-elb-healthcheck-required - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - cloud-trail-encryption-enabled - cloudtrail-s3-dataevents-enabled @@ -5219,9 +5194,10 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -5258,8 +5234,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check @@ -5284,7 +5258,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -5322,9 +5297,9 @@ packs: - backup-recovery-point-encrypted - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -5344,8 +5319,9 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecs-container-insights-enabled @@ -5382,8 +5358,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - kms-cmk-not-scheduled-for-deletion @@ -5391,7 +5365,7 @@ packs: - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-https-required @@ -5413,7 +5387,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -5514,9 +5489,9 @@ packs: - autoscaling-launch-config-public-ip-disabled - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -5534,7 +5509,7 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached - ec2-managedinstance-association-compliance-status-check @@ -5570,7 +5545,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - kms-cmk-not-scheduled-for-deletion - lambda-concurrency-check - lambda-dlq-check @@ -5592,6 +5566,7 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl + - restricted-ssh - s3-account-level-public-access-blocks - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled @@ -5628,9 +5603,9 @@ packs: - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -5650,9 +5625,10 @@ packs: - ebs-optimized-instance - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni-periodic @@ -5693,14 +5669,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-access-control-enabled - opensearch-encrypted-at-rest @@ -5722,7 +5696,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -5760,8 +5735,9 @@ packs: - dms-replication-not-public - ebs-snapshot-public-restorable-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -5779,8 +5755,6 @@ packs: - emr-master-no-public-ip - guardduty-enabled-centralized - iam-password-policy - - incoming-ssh-disabled - - instances-in-vpc - lambda-function-public-access-prohibited - lambda-inside-vpc - nacl-no-unrestricted-ssh-rdp @@ -5796,7 +5770,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - s3-account-level-public-access-blocks-periodic - s3-bucket-level-public-access-prohibited - s3-bucket-public-read-prohibited @@ -5822,9 +5797,9 @@ packs: - api-gw-execution-logging-enabled - autoscaling-group-elb-healthcheck-required - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -5844,8 +5819,9 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -5875,14 +5851,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -5895,7 +5869,8 @@ packs: - redshift-cluster-configuration-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks @@ -5933,9 +5908,9 @@ packs: - autoscaling-launch-config-public-ip-disabled - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cmk-backing-key-rotation-enabled @@ -5953,9 +5928,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-stopped-instance @@ -5989,15 +5965,13 @@ packs: - iam-user-group-membership-check - iam-user-mfa-enabled - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kinesis-stream-encrypted - kms-cmk-not-scheduled-for-deletion - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-https-required @@ -6021,7 +5995,8 @@ packs: - redshift-default-admin-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6062,14 +6037,13 @@ packs: - aurora-resources-protected-by-backup-plan - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - codebuild-project-envvar-awscred-check - codebuild-project-source-repo-url-check @@ -6083,9 +6057,10 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -6121,13 +6096,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-in-vpc-only @@ -6150,7 +6123,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6190,13 +6164,12 @@ packs: - aurora-resources-protected-by-backup-plan - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - backup-recovery-point-manual-deletion-disabled - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check @@ -6215,9 +6188,10 @@ packs: - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-resources-protected-by-backup-plan - ec2-stopped-instance @@ -6250,8 +6224,6 @@ packs: - iam-user-group-membership-check - iam-user-mfa-enabled - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc @@ -6278,7 +6250,8 @@ packs: - redshift-cluster-public-access-check - redshift-enhanced-vpc-routing-enabled - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6323,9 +6296,9 @@ packs: - backup-recovery-point-manual-deletion-disabled - beanstalk-enhanced-health-reporting-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-alarm-action-check - cloudwatch-log-group-encrypted @@ -6347,6 +6320,7 @@ packs: - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ecs-task-definition-user-for-host-mode-check - efs-encrypted-check @@ -6375,14 +6349,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-audit-logging-enabled - opensearch-encrypted-at-rest @@ -6404,7 +6376,8 @@ packs: - redshift-cluster-kms-enabled - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6439,15 +6412,14 @@ packs: - alb-waf-enabled - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - - aws-config-process-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled - cloudfront-accesslogs-enabled - cloudfront-associated-with-waf - cloudfront-default-root-object-configured - cloudfront-viewer-policy-https + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - cloudwatch-log-group-encrypted @@ -6463,8 +6435,9 @@ packs: - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecr-private-image-scanning-enabled @@ -6489,8 +6462,6 @@ packs: - iam-root-access-key-check - iam-user-mfa-enabled - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - lambda-function-public-access-prohibited - mfa-enabled-for-iam-console-access - opensearch-encrypted-at-rest @@ -6512,6 +6483,7 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6542,16 +6514,16 @@ packs: - api-gw-ssl-enabled - api-gw-xray-enabled - autoscaling-group-elb-healthcheck-required + - ec2-instances-in-vpc - elb-acm-certificate-required - elb-cross-zone-load-balancing-enabled - elb-deletion-protection-enabled - elb-logging-enabled - elb-tls-https-listeners-only - elbv2-acm-certificate-required - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - vpc-default-security-group-closed - vpc-flow-logs-enabled - vpc-network-acl-unused-check @@ -6573,9 +6545,9 @@ packs: - backup-recovery-point-encrypted - backup-recovery-point-minimum-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled @@ -6584,9 +6556,10 @@ packs: - dms-replication-not-public - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-multiple-eni-check - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-security-group-attached-to-eni-periodic @@ -6625,13 +6598,11 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - netfw-policy-rule-group-associated - netfw-stateless-rule-group-not-empty - no-unrestricted-route-to-igw @@ -6656,7 +6627,8 @@ packs: - redshift-default-admin-check - redshift-default-db-name-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6693,9 +6665,9 @@ packs: - dms-replication-not-public - ebs-snapshot-public-restorable-check - ec2-instance-no-public-ip + - ec2-instances-in-vpc - elasticsearch-in-vpc-only - emr-master-no-public-ip - - instances-in-vpc - lambda-function-public-access-prohibited - lambda-inside-vpc - rds-instance-public-access-check @@ -6720,12 +6692,11 @@ packs: - api-gw-ssl-enabled - aurora-resources-protected-by-backup-plan - autoscaling-launch-config-public-ip-disabled - - aws-config-process-check - backup-plan-min-frequency-and-min-retention-check - backup-recovery-point-encrypted - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudwatch-log-group-encrypted - cmk-backing-key-rotation-enabled @@ -6741,8 +6712,9 @@ packs: - ebs-in-backup-plan - ebs-snapshot-public-restorable-check - ec2-ebs-encryption-by-default - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ecr-private-tag-immutability-enabled @@ -6767,13 +6739,11 @@ packs: - iam-policy-no-statements-with-full-access - iam-root-access-key-check - iam-user-no-policies-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kms-cmk-not-scheduled-for-deletion - lambda-function-public-access-prohibited - lambda-inside-vpc - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-audit-logging-enabled - opensearch-encrypted-at-rest @@ -6794,7 +6764,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - s3-account-level-public-access-blocks-periodic - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled @@ -6836,7 +6807,7 @@ packs: - beanstalk-enhanced-health-reporting-enabled - clb-multiple-az - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cmk-backing-key-rotation-enabled - codebuild-project-logging-enabled @@ -6851,9 +6822,10 @@ packs: - ebs-optimized-instance - ebs-snapshot-public-restorable-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-association-compliance-status-check - ec2-managedinstance-patch-compliance-status-check - ec2-resources-protected-by-backup-plan @@ -6890,8 +6862,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - lambda-concurrency-check - lambda-dlq-check @@ -6899,7 +6869,7 @@ packs: - lambda-inside-vpc - lambda-vpc-multi-az-check - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - opensearch-https-required - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch @@ -6917,7 +6887,8 @@ packs: - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -6948,19 +6919,20 @@ packs: - api-gw-ssl-enabled - autoscaling-launch-config-public-ip-disabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudwatch-log-group-encrypted - dynamodb-table-encrypted-kms - ebs-in-backup-plan - ec2-ebs-encryption-by-default - ec2-imdsv2-check - ec2-instance-detailed-monitoring-enabled - - ec2-instance-managed-by-ssm + - ec2-instance-managed-by-systems-manager - ec2-instance-multiple-eni-check - ec2-instance-no-public-ip - ec2-instance-profile-attached + - ec2-instances-in-vpc - ec2-managedinstance-patch-compliance-status-check - ec2-no-amazon-key-pair - ec2-stopped-instance @@ -6983,8 +6955,6 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - - instances-in-vpc - internet-gateway-authorized-vpc-only - kinesis-stream-encrypted - kms-cmk-not-scheduled-for-deletion @@ -6995,7 +6965,8 @@ packs: - netfw-policy-rule-group-associated - no-unrestricted-route-to-igw - opensearch-node-to-node-encryption-check - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -7030,9 +7001,9 @@ packs: - api-gw-associated-with-waf - api-gw-execution-logging-enabled - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check - cmk-backing-key-rotation-enabled @@ -7051,12 +7022,12 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - incoming-ssh-disabled - kms-cmk-not-scheduled-for-deletion - mfa-enabled-for-iam-console-access - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled - rds-logging-enabled - - restricted-incoming-traffic + - restricted-common-ports + - restricted-ssh - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic @@ -7149,12 +7120,12 @@ packs: - cloudfront-viewer-policy-https Security-Best-Practices-for-CloudTrail: - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-enabled - cloud-trail-encryption-enabled - cloud-trail-log-file-validation-enabled + - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - cloudtrail-security-trail-enabled - - multi-region-cloud-trail-enabled + - multi-region-cloudtrail-enabled Security-Best-Practices-for-CodeBuild: - codebuild-project-artifact-encryption - codebuild-project-environment-privileged-check diff --git a/locals.tf b/locals.tf index b19624a..7a29242 100644 --- a/locals.tf +++ b/locals.tf @@ -42,6 +42,6 @@ locals { rules_to_apply = { for rule, attr in local.final_managed_rules : - rule => attr if contains(local.final_rules, rule) + rule => attr if contains(local.final_rules, rule) } } diff --git a/managed_rules_locals.tf b/managed_rules_locals.tf index 4b2c7b2..82928ae 100644 --- a/managed_rules_locals.tf +++ b/managed_rules_locals.tf @@ -1,15 +1,16 @@ locals { managed_rules = { access-keys-rotated = { - description = "Checks if the active access keys are rotated within the number of days specified in maxAccessKeyAge . The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days." - input_parameters = var.access_keys_rotated_parameters - severity = "Medium" + description = "Checks if active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge . The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days." + input_parameters = var.access_keys_rotated_parameters + resource_types_scope = ["AWS::IAM::User"] + severity = "Medium" } account-part-of-organizations = { description = "Checks if an AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId ." input_parameters = var.account_part_of_organizations_parameters - severity = "Low" + severity = "High" } acm-certificate-expiration-check = { @@ -22,7 +23,14 @@ locals { acm-certificate-rsa-check = { description = "Checks if RSA certificates managed by AWS Certificate Manager (ACM) have a key length of at least 2048 bits.The rule is NON_COMPLIANT if the minimum key length is less than 2048 bits." resource_types_scope = ["AWS::ACM::Certificate"] - severity = "Medium" + severity = "High" + } + + acm-pca-root-ca-disabled = { + description = "Checks if AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED." + input_parameters = var.acm_pca_root_ca_disabled_parameters + resource_types_scope = ["AWS::ACMPCA::CertificateAuthority"] + severity = "Low" } alb-desync-mode-check = { @@ -39,8 +47,9 @@ locals { } alb-http-to-https-redirection-check = { - description = "Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is..." - severity = "Medium" + description = "Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is..." + resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"] + severity = "Medium" } alb-waf-enabled = { @@ -124,6 +133,13 @@ locals { severity = "Medium" } + appsync-authorization-check = { + description = "Checks if an AWS AppSync API is using allowed authorization mechanisms. The rule is NON_COMPLIANT if an unapproved authorization mechanism is being used." + input_parameters = var.appsync_authorization_check_parameters + resource_types_scope = ["AWS::AppSync::GraphQLApi"] + severity = "High" + } + appsync-cache-encryption-at-rest = { description = "Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON_COMPLIANT if AtRestEncryptionEnabled is false." resource_types_scope = ["AWS::AppSync::GraphQLApi"] @@ -137,6 +153,12 @@ locals { severity = "Medium" } + athena-workgroup-encrypted-at-rest = { + description = "Checks if an Amazon Athena workgroup is encrypted at rest. The rule is NON_COMPLIANT if encryption of data at rest is not enabled for an Athena workgroup." + resource_types_scope = ["AWS::Athena::WorkGroup"] + severity = "Medium" + } + aurora-last-backup-recovery-point-created = { description = "Checks if a recovery point was created for Amazon Aurora DB clusters. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) DB Cluster does not have a corresponding recovery point created within the specified time period." input_parameters = var.aurora_last_backup_recovery_point_created_parameters @@ -144,6 +166,13 @@ locals { severity = "Medium" } + aurora-meets-restore-time-target = { + description = "Checks if the restore time of Amazon Aurora DB clusters meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Aurora DB Cluster is greater than maxRestoreTime minutes." + input_parameters = var.aurora_meets_restore_time_target_parameters + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + aurora-mysql-backtracking-enabled = { description = "Checks if an Amazon Aurora MySQL cluster has backtracking enabled. The rule is NON_COMPLIANT if the Aurora cluster uses MySQL and it does not have backtracking enabled." input_parameters = var.aurora_mysql_backtracking_enabled_parameters @@ -161,11 +190,11 @@ locals { autoscaling-capacity-rebalancing = { description = "Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types. The rule is NON_COMPLIANT if capacity Rebalancing is not enabled." resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"] - severity = "Low" + severity = "Medium" } autoscaling-group-elb-healthcheck-required = { - description = "Checks if your Amazon EC2 Auto Scaling groups that are associated with a Classic Load Balancer use Elastic Load Balancing health checks. The rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling groups are not using Elastic Load Balancing health checks." + description = "Checks if your Amazon EC2 Auto Scaling groups that are associated with an Elastic Load Balancer use Elastic Load Balancing health checks. The rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling groups are not using Elastic Load Balancing health checks." resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"] severity = "Low" } @@ -173,25 +202,25 @@ locals { autoscaling-launchconfig-requires-imdsv2 = { description = "Checks whether only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled." resource_types_scope = ["AWS::AutoScaling::LaunchConfiguration"] - severity = "Low" + severity = "High" } autoscaling-launch-config-hop-limit = { description = "Checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1." resource_types_scope = ["AWS::AutoScaling::LaunchConfiguration"] - severity = "Low" + severity = "High" } autoscaling-launch-config-public-ip-disabled = { description = "Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. The rule is NON_COMPLIANT if the Launch Configuration for an Amazon EC2 Auto Scaling group has AssociatePublicIpAddress set to true ." resource_types_scope = ["AWS::AutoScaling::LaunchConfiguration"] - severity = "Medium" + severity = "High" } autoscaling-launch-template = { description = "Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. The rule is NON_COMPLIANT if the scaling group is not created from an EC2 launch template." resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"] - severity = "Low" + severity = "Medium" } autoscaling-multiple-az = { @@ -204,7 +233,7 @@ locals { autoscaling-multiple-instance-types = { description = "Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. This rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined." resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"] - severity = "Low" + severity = "Medium" } backup-plan-min-frequency-and-min-retention-check = { @@ -255,7 +284,7 @@ locals { } cloudformation-stack-drift-detection-check = { - description = "Checks if the actual configuration of a Cloud Formation stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the..." + description = "Checks if the actual configuration of a AWS CloudFormation (AWS CloudFormation) stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected..." input_parameters = var.cloudformation_stack_drift_detection_check_parameters resource_types_scope = ["AWS::CloudFormation::Stack"] severity = "Low" @@ -269,7 +298,7 @@ locals { } cloudfront-accesslogs-enabled = { - description = "Checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured." + description = "Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured." input_parameters = var.cloudfront_accesslogs_enabled_parameters resource_types_scope = ["AWS::CloudFront::Distribution"] severity = "Medium" @@ -285,19 +314,19 @@ locals { cloudfront-custom-ssl-certificate = { description = "Checks if the certificate associated with an Amazon CloudFront distribution is the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate." resource_types_scope = ["AWS::CloudFront::Distribution"] - severity = "Low" + severity = "Medium" } cloudfront-default-root-object-configured = { description = "Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if Amazon CloudFront distribution does not have a default root object configured." resource_types_scope = ["AWS::CloudFront::Distribution"] - severity = "Critical" + severity = "High" } cloudfront-no-deprecated-ssl-protocols = { description = "Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any OriginSslProtocols includes SSLv3 ." resource_types_scope = ["AWS::CloudFront::Distribution"] - severity = "High" + severity = "Medium" } cloudfront-origin-access-identity-enabled = { @@ -321,7 +350,7 @@ locals { cloudfront-s3-origin-non-existent-bucket = { description = "Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if S3OriginConfig for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting." resource_types_scope = ["AWS::CloudFront::Distribution"] - severity = "Medium" + severity = "High" } cloudfront-security-policy-check = { @@ -333,13 +362,13 @@ locals { cloudfront-sni-enabled = { description = "Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address." resource_types_scope = ["AWS::CloudFront::Distribution"] - severity = "Medium" + severity = "Low" } cloudfront-traffic-to-origin-encrypted = { description = "Checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all ." resource_types_scope = ["AWS::CloudFront::Distribution"] - severity = "Critical" + severity = "Medium" } cloudfront-viewer-policy-https = { @@ -348,6 +377,30 @@ locals { severity = "Medium" } + cloudtrail-all-read-s3-data-event-check = { + description = "Checks if an AWS CloudTrail multi-Region trail is enabled and logs all read S3 data events for your buckets. The rule is NON_COMPLIANT if no multi-Region trail logs all read S3 data event types for all current and future S3 buckets." + resource_types_scope = ["AWS::::Account"] + severity = "Medium" + } + + cloudtrail-all-write-s3-data-event-check = { + description = "Checks if an AWS CloudTrail multi-Region trail is enabled and logs all write S3 data events for your buckets. The rule is NON_COMPLIANT if no multi-Region trail logs all write S3 data event types for all current and future S3 buckets." + resource_types_scope = ["AWS::::Account"] + severity = "Medium" + } + + cloudtrail-s3-bucket-access-logging = { + description = "Checks if the S3 bucket configurations for your AWS CloudTrail logs have Amazon S3 server access logging enabled. The rule is NON_COMPLIANT if at least one S3 bucket for a CloudTrail trail does not have S3 server access logging enabled." + resource_types_scope = ["AWS::CloudTrail::Trail"] + severity = "Medium" + } + + cloudtrail-s3-bucket-public-access-prohibited = { + description = "Checks if the S3 bucket configurations for your AWS CloudTrail logs block public access. The rule is NON_COMPLIANT if at least one S3 bucket for a CloudTrail trail is publicly accessible." + resource_types_scope = ["AWS::CloudTrail::Trail"] + severity = "High" + } + cloudtrail-s3-dataevents-enabled = { description = "Checks if at least one AWS CloudTrail trail is logging Amazon Simple Storage Service (Amazon S3) data events for all S3 buckets. The rule is NON_COMPLIANT if there are trails or if no trails record S3 data events." input_parameters = var.cloudtrail_s3_dataevents_enabled_parameters @@ -363,7 +416,7 @@ locals { description = "Checks if CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally checks if any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter." input_parameters = var.cloudwatch_alarm_action_check_parameters resource_types_scope = ["AWS::CloudWatch::Alarm"] - severity = "Medium" + severity = "High" } cloudwatch-alarm-action-enabled-check = { @@ -373,9 +426,10 @@ locals { } cloudwatch-alarm-resource-check = { - description = "Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm." - input_parameters = var.cloudwatch_alarm_resource_check_parameters - severity = "Medium" + description = "Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm." + input_parameters = var.cloudwatch_alarm_resource_check_parameters + resource_types_scope = ["AWS::EC2::Instance", "AWS::RDS::DBCluster", "AWS::S3::Bucket", "AWS::EC2::Volume"] + severity = "Medium" } cloudwatch-alarm-settings-check = { @@ -386,36 +440,41 @@ locals { } cloudwatch-log-group-encrypted = { - description = "Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON_COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter." - input_parameters = var.cloudwatch_log_group_encrypted_parameters - severity = "Medium" + description = "Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON_COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter." + input_parameters = var.cloudwatch_log_group_encrypted_parameters + resource_types_scope = ["AWS::Logs::LogGroup"] + severity = "Medium" } cloud-trail-cloud-watch-logs-enabled = { - description = "Checks if AWS CloudTrail trails are configured to send logs to CloudWatch logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty." - input_parameters = var.cloud_trail_cloud_watch_logs_enabled_parameters - severity = "Low" + description = "Checks if AWS CloudTrail trails are configured to send logs to CloudWatch logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty." + input_parameters = var.cloud_trail_cloud_watch_logs_enabled_parameters + resource_types_scope = ["AWS::CloudTrail::Trail"] + severity = "Low" } - cloud-trail-enabled = { + cloudtrail-enabled = { description = "Checks if an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group." - input_parameters = var.cloud_trail_enabled_parameters + input_parameters = var.cloudtrail_enabled_parameters severity = "High" } cloud-trail-encryption-enabled = { - description = "Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) encryption. The rule is COMPLIANT if the KmsKeyId is defined." - severity = "Medium" + description = "Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) encryption. The rule is COMPLIANT if the KmsKeyId is defined." + resource_types_scope = ["AWS::CloudTrail::Trail"] + severity = "Medium" } cloud-trail-log-file-validation-enabled = { - description = "Checks if AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled." - severity = "Low" + description = "Checks if AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled." + resource_types_scope = ["AWS::CloudTrail::Trail"] + severity = "Low" } cmk-backing-key-rotation-enabled = { - description = "Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON_COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission." - severity = "Medium" + description = "Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON_COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission." + resource_types_scope = ["AWS::KMS::Key"] + severity = "Medium" } codebuild-project-artifact-encryption = { @@ -428,7 +487,7 @@ locals { description = "Checks if an AWS CodeBuild project environment has privileged mode enabled. The rule is NON_COMPLIANT for a CodeBuild project if privilegedMode is set to true ." input_parameters = var.codebuild_project_environment_privileged_check_parameters resource_types_scope = ["AWS::CodeBuild::Project"] - severity = "Medium" + severity = "High" } codebuild-project-envvar-awscred-check = { @@ -448,11 +507,11 @@ locals { description = "Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if encryptionDisabled is set to true in a S3LogsConfig of a CodeBuild project." input_parameters = var.codebuild_project_s3_logs_encrypted_parameters resource_types_scope = ["AWS::CodeBuild::Project"] - severity = "Medium" + severity = "Low" } codebuild-project-source-repo-url-check = { - description = "Checks if the GitHub or Bitbucket source repository URL contains either personal access tokens or sign-in credentials. The rule is COMPLIANT with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket repositories." + description = "Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn t." resource_types_scope = ["AWS::CodeBuild::Project"] severity = "Critical" } @@ -490,21 +549,35 @@ locals { severity = "Low" } + custom-eventbus-policy-attached = { + description = "Checks if Amazon EventBridge custom event buses have a resource-based policy attached. The rule is NON_COMPLIANT if a custom event bus policy does not have an attached resource-based policy." + resource_types_scope = ["AWS::Events::EventBus"] + severity = "Medium" + } + custom-schema-registry-policy-attached = { description = "Checks if custom Amazon EventBridge schema registries have a resource policy attached. The rule is NON_COMPLIANT for custom schema registries without a resource policy attached." resource_types_scope = ["AWS::EventSchemas::Registry"] - severity = "Medium" + severity = "Low" } cw-loggroup-retention-period-check = { - description = "Checks if Amazon CloudWatch LogGroup retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period for the log group is less than the MinRetentionTime parameter." - input_parameters = var.cw_loggroup_retention_period_check_parameters - severity = "Medium" + description = "Checks if an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime , if specified, or else 365 days." + input_parameters = var.cw_loggroup_retention_period_check_parameters + resource_types_scope = ["AWS::Logs::LogGroup"] + severity = "Medium" } dax-encryption-enabled = { - description = "Checks if Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted." - severity = "Medium" + description = "Checks if Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted." + resource_types_scope = ["AWS::DAX::Cluster"] + severity = "Medium" + } + + dax-tls-endpoint-encryption = { + description = "Checks if your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS)." + resource_types_scope = ["AWS::DAX::Cluster"] + severity = "Medium" } db-instance-backup-enabled = { @@ -528,16 +601,91 @@ locals { severity = "Low" } + dms-auto-minor-version-upgrade-check = { + description = "Checks if an AWS Database Migration Service (AWS DMS) replication instance has automatic minor version upgrades enabled. The rule is NON_COMPLIANT if an AWS DMS replication instance is not configured with automatic minor version upgrades." + resource_types_scope = ["AWS::DMS::ReplicationInstance"] + severity = "Medium" + } + + dms-endpoint-ssl-configured = { + description = "Checks if AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured." + resource_types_scope = ["AWS::DMS::Endpoint"] + severity = "Medium" + } + + dms-mongo-db-authentication-enabled = { + description = "Checks if AWS Database Migration Service (AWS DMS) endpoints for MongoDb data stores are enabled for password-based authentication and access control. The rule is NON_COMPLIANT if password-based authentication and access control is not enabled." + resource_types_scope = ["AWS::DMS::Endpoint"] + severity = "Medium" + } + + dms-neptune-iam-authorization-enabled = { + description = "Checks if an AWS Database Migration Service (AWS DMS) endpoint for Amazon Neptune databases is configured with IAM authorization. The rule is NON_COMPLIANT if an AWS DMS endpoint where Neptune is the target has IamAuthEnabled set to false." + resource_types_scope = ["AWS::DMS::Endpoint"] + severity = "Medium" + } + + dms-redis-tls-enabled = { + description = "Checks if AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled." + resource_types_scope = ["AWS::DMS::Endpoint"] + severity = "Medium" + } + dms-replication-not-public = { - description = "Checks if AWS Database Migration Service (AWS DMS) replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is set to true." - severity = "Critical" + description = "Checks if AWS Database Migration Service (AWS DMS) replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is set to true." + resource_types_scope = ["AWS::DMS::ReplicationInstance"] + severity = "Critical" + } + + dms-replication-task-sourcedb-logging = { + description = "Checks if logging is enabled with a valid severity level for AWS DMS replication tasks of a source database. The rule is NON_COMPLIANT if logging is not enabled or logs for DMS replication tasks of a source database have a severity level that is not valid." + resource_types_scope = ["AWS::DMS::ReplicationTask"] + severity = "Medium" + } + + dms-replication-task-targetdb-logging = { + description = "Checks if logging is enabled with a valid severity level for AWS DMS replication task events of a target database. The rule is NON_COMPLIANT if logging is not enabled or replication task logging of a target database has a severity level that is not valid." + resource_types_scope = ["AWS::DMS::ReplicationTask"] + severity = "Medium" + } + + docdb-cluster-audit-logging-enabled = { + description = "Checks if an Amazon DocumentDB (with MongoDB compatibility) instance cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if an Amazon DocumentDB instance cluster does not have CloudWatch log export enabled for audit logs." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + docdb-cluster-backup-retention-check = { + description = "Checks if an Amazon Document DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter." + input_parameters = var.docdb_cluster_backup_retention_check_parameters + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + docdb-cluster-deletion-protection-enabled = { + description = "Checks if an Amazon DocumentDB (with MongoDB compatibility) cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon DocumentDB cluster has the deletionProtection field set to false." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + docdb-cluster-encrypted = { + description = "Checks if storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. The rule is NON_COMPLIANT if storage encryption is not enabled." + input_parameters = var.docdb_cluster_encrypted_parameters + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + docdb-cluster-snapshot-public-prohibited = { + description = "Checks if Amazon DocumentDB manual cluster snapshots are public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public." + resource_types_scope = ["AWS::RDS::DBClusterSnapshot"] + severity = "Critical" } dynamodb-autoscaling-enabled = { description = "Checks if Amazon DynamoDB tables or global secondary indexes can process read/write capacity using on-demand mode or provisioned mode with auto scaling enabled. The rule is NON_COMPLIANT if either mode is used without auto scaling enabled" input_parameters = var.dynamodb_autoscaling_enabled_parameters resource_types_scope = ["AWS::DynamoDB::Table"] - severity = "Low" + severity = "Medium" } dynamodb-in-backup-plan = { @@ -553,6 +701,13 @@ locals { severity = "Medium" } + dynamodb-meets-restore-time-target = { + description = "Checks if the restore time of Amazon DynamoDB Tables meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of a DynamoDB Table is greater than maxRestoreTime minutes." + input_parameters = var.dynamodb_meets_restore_time_target_parameters + resource_types_scope = ["AWS::DynamoDB::Table"] + severity = "Medium" + } + dynamodb-pitr-enabled = { description = "Checks if point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables." resource_types_scope = ["AWS::DynamoDB::Table"] @@ -566,6 +721,12 @@ locals { severity = "Medium" } + dynamodb-table-deletion-protection-enabled = { + description = "Checks if an Amazon DynamoDB table have deletion protection set to enabled. The rule is NON_COMPLIANT if the table have deletion protection set to disabled." + resource_types_scope = ["AWS::DynamoDB::Table"] + severity = "Medium" + } + dynamodb-table-encrypted-kms = { description = "Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in..." input_parameters = var.dynamodb_table_encrypted_kms_parameters @@ -586,8 +747,9 @@ locals { } ebs-in-backup-plan = { - description = "Check if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans." - severity = "Medium" + description = "Check if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans." + resource_types_scope = ["AWS::EC2::Volume"] + severity = "Medium" } ebs-last-backup-recovery-point-created = { @@ -597,6 +759,13 @@ locals { severity = "Medium" } + ebs-meets-restore-time-target = { + description = "Checks if the restore time of Amazon Elastic Block Store (Amazon EBS) volumes meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EBS volume is greater than maxRestoreTime minutes." + input_parameters = var.ebs_meets_restore_time_target_parameters + resource_types_scope = ["AWS::EC2::Volume"] + severity = "Medium" + } + ebs-optimized-instance = { description = "Checks if Amazon EBS optimization is enabled for your Amazon Elastic Compute Cloud (Amazon EC2) instances that can be Amazon EBS-optimized. The rule is NON_COMPLIANT if EBS optimization is not enabled for an Amazon EC2 instance that can be EBS-optimized." resource_types_scope = ["AWS::EC2::Instance"] @@ -607,7 +776,7 @@ locals { description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan." input_parameters = var.ebs_resources_protected_by_backup_plan_parameters resource_types_scope = ["AWS::EC2::Volume"] - severity = "Medium" + severity = "Low" } ebs-snapshot-public-restorable-check = { @@ -615,6 +784,12 @@ locals { severity = "Critical" } + ec2-client-vpn-connection-log-enabled = { + description = "Checks if AWS Client VPN endpoint has client connection logging enabled. The rule is NON_COMPLIANT if Configuration.ConnectionLogOptions.Enabled is set to false." + resource_types_scope = ["AWS::EC2::ClientVpnEndpoint"] + severity = "Low" + } + ec2-client-vpn-not-authorize-all = { description = "Checks if the AWS Client VPN authorization rules authorizes connection access for all clients. The rule is NON_COMPLIANT if AccessAll is present and set to true." resource_types_scope = ["AWS::EC2::ClientVpnEndpoint"] @@ -638,8 +813,8 @@ locals { severity = "Low" } - ec2-instance-managed-by-ssm = { - description = "Checks if your Amazon EC2 instances are managed by AWS Systems Manager (SSM Agent). The rule is NON_COMPLIANT if the EC2 instance previously associated with an SSM Agent instance inventory becomes unreachable or is not managed by SSM Agent." + ec2-instance-managed-by-systems-manager = { + description = "Checks if your Amazon EC2 instances are managed by AWS Systems Manager Agent (SSM Agent). The rule is NON_COMPLIANT if an EC2 instance is running and the SSM Agent is stopped, or if an EC2 instance is running and the SSM Agent is terminated." resource_types_scope = ["AWS::EC2::Instance", "AWS::SSM::ManagedInstanceInventory"] severity = "Medium" } @@ -675,7 +850,7 @@ locals { description = "Checks if Amazon EC2 Launch Templates are set to assign public IP addresses to Network Interfaces. The rule is NON_COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with AssociatePublicIpAddress set to true ." input_parameters = var.ec2_launch_template_public_ip_disabled_parameters resource_types_scope = ["AWS::EC2::LaunchTemplate"] - severity = "Medium" + severity = "High" } ec2-managedinstance-applications-blacklisted = { @@ -708,7 +883,7 @@ locals { ec2-managedinstance-patch-compliance-status-check = { description = "Checks if the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT." resource_types_scope = ["AWS::SSM::PatchCompliance"] - severity = "Medium" + severity = "High" } ec2-managedinstance-platform-check = { @@ -718,6 +893,13 @@ locals { severity = "Medium" } + ec2-meets-restore-time-target = { + description = "Checks if the restore time of Amazon Elastic Compute Cloud (Amazon EC2) instances meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EC2 instance is greater than maxRestoreTime minutes." + input_parameters = var.ec2_meets_restore_time_target_parameters + resource_types_scope = ["AWS::EC2::Instance"] + severity = "Medium" + } + ec2-no-amazon-key-pair = { description = "Checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair." resource_types_scope = ["AWS::EC2::Instance"] @@ -727,7 +909,7 @@ locals { ec2-paravirtual-instance-check = { description = "Checks if the virtualization type of an EC2 instance is paravirtual. This rule is NON_COMPLIANT for an EC2 instance if virtualizationType is set to paravirtual ." resource_types_scope = ["AWS::EC2::Instance"] - severity = "Low" + severity = "Medium" } ec2-resources-protected-by-backup-plan = { @@ -740,19 +922,20 @@ locals { ec2-security-group-attached-to-eni = { description = "Checks if non-default security groups are attached to elastic network interfaces. The rule is NON_COMPLIANT if the security group is not associated with a network interface." resource_types_scope = ["AWS::EC2::SecurityGroup"] - severity = "Low" + severity = "Medium" } ec2-security-group-attached-to-eni-periodic = { description = "Checks if non-default security groups are attached to Elastic network interfaces (ENIs). The rule is NON_COMPLIANT if the security group is not associated with an ENI. Security groups not owned by the calling account evaluate as NOT_APPLICABLE." resource_types_scope = ["AWS::EC2::SecurityGroup"] - severity = "Low" + severity = "Medium" } ec2-stopped-instance = { - description = "Checks if there are Amazon Elastic Compute Cloud (Amazon EC2) instances stopped for more than the allowed number of days. The rule is NON_COMPLIANT if the state of an Amazon EC2 instance has been stopped for longer than the allowed number of days, or if..." - input_parameters = var.ec2_stopped_instance_parameters - severity = "Low" + description = "Checks if there are Amazon Elastic Compute Cloud (Amazon EC2) instances stopped for more than the allowed number of days. The rule is NON_COMPLIANT if the state of an Amazon EC2 instance has been stopped for longer than the allowed number of days, or if..." + input_parameters = var.ec2_stopped_instance_parameters + resource_types_scope = ["AWS::EC2::Instance"] + severity = "Medium" } ec2-token-hop-limit-check = { @@ -765,7 +948,7 @@ locals { ec2-transit-gateway-auto-vpc-attach-disabled = { description = "Checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have AutoAcceptSharedAttachments enabled. The rule is NON_COMPLIANT for a Transit Gateway if AutoAcceptSharedAttachments is set to enable ." resource_types_scope = ["AWS::EC2::TransitGateway"] - severity = "Low" + severity = "High" } ec2-volume-inuse-check = { @@ -776,9 +959,9 @@ locals { } ecr-private-image-scanning-enabled = { - description = "Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled. The rule is NON_COMPLIANT if the private ECR repository's scan frequency is not on scan on push or continuous scan." + description = "Checks if a private Amazon Elastic Container Registry (Amazon ECR) repository has image scanning enabled.The rule is NON_COMPLIANT if the private Amazon ECR repository's scan frequency is not on scan on push or continuous scan.For more information on..." resource_types_scope = ["AWS::ECR::Repository"] - severity = "Medium" + severity = "High" } ecr-private-lifecycle-policy-configured = { @@ -802,13 +985,13 @@ locals { ecs-containers-nonprivileged = { description = "Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to true . The rule is NON_COMPLIANT if the privileged parameter is true ." resource_types_scope = ["AWS::ECS::TaskDefinition"] - severity = "Medium" + severity = "High" } ecs-containers-readonly-access = { description = "Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. The rule is NON_COMPLIANT if the readonlyRootFilesystem parameter in the container definition of ECSTaskDefinitions is set to false ." resource_types_scope = ["AWS::ECS::TaskDefinition"] - severity = "Medium" + severity = "High" } ecs-container-insights-enabled = { @@ -821,20 +1004,20 @@ locals { description = "Checks if ECS Fargate services is set to the latest platform version. The rule is NON_COMPLIANT if PlatformVersion for the Fargate launch type is not set to LATEST, or if neither latestLinuxVersion nor latestWindowsVersion are provided as parameters." input_parameters = var.ecs_fargate_latest_platform_version_parameters resource_types_scope = ["AWS::ECS::Service"] - severity = "Low" + severity = "Medium" } ecs-no-environment-secrets = { description = "Checks if secrets are passed as container environment variables. The rule is NON_COMPLIANT if 1 or more environment variable key matches a key listed in the secretKeys parameter (excluding environmental variables from other locations such as Amazon S3)." input_parameters = var.ecs_no_environment_secrets_parameters resource_types_scope = ["AWS::ECS::TaskDefinition"] - severity = "Critical" + severity = "High" } ecs-task-definition-log-configuration = { description = "Checks if logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition." resource_types_scope = ["AWS::ECS::TaskDefinition"] - severity = "Medium" + severity = "High" } ecs-task-definition-memory-hard-limit = { @@ -846,7 +1029,7 @@ locals { ecs-task-definition-nonroot-user = { description = "Checks if ECSTaskDefinitions specify a user for Amazon Elastic Container Service (Amazon ECS) EC2 launch type containers to run on. The rule is NON_COMPLIANT if the user parameter is not present or set to root ." resource_types_scope = ["AWS::ECS::TaskDefinition"] - severity = "High" + severity = "Medium" } ecs-task-definition-pid-mode-check = { @@ -856,7 +1039,7 @@ locals { } ecs-task-definition-user-for-host-mode-check = { - description = "Checks if an Amazon Elastic Container Service (Amazon ECS) task definition with host networking mode has privileged or user container definitions. The rule is NON_COMPLIANT for task definitions with host network mode and container definitions of..." + description = "Checks for unauthorized permissions in your latest active Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode set to host. The rule is NON_COMPLIANT for task definitions with NetworkMode set to host, and container..." input_parameters = var.ecs_task_definition_user_for_host_mode_check_parameters resource_types_scope = ["AWS::ECS::TaskDefinition"] severity = "High" @@ -873,18 +1056,20 @@ locals { description = "Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. The rule is NON_COMPLIANT if PosixUser is not defined or if parameters are provided and there is no match in the corresponding parameter." input_parameters = var.efs_access_point_enforce_user_identity_parameters resource_types_scope = ["AWS::EFS::AccessPoint"] - severity = "High" + severity = "Medium" } efs-encrypted-check = { - description = "Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the encrypted key is set to false on DescribeFileSystems or if the KmsKeyId key on..." - input_parameters = var.efs_encrypted_check_parameters - severity = "Medium" + description = "Checks if Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the encrypted key is set to false on DescribeFileSystems or if the KmsKeyId key on..." + input_parameters = var.efs_encrypted_check_parameters + resource_types_scope = ["AWS::EFS::FileSystem"] + severity = "Medium" } efs-in-backup-plan = { - description = "Checks if Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans." - severity = "Medium" + description = "Checks if Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans." + resource_types_scope = ["AWS::EFS::FileSystem"] + severity = "Medium" } efs-last-backup-recovery-point-created = { @@ -894,6 +1079,19 @@ locals { severity = "Medium" } + efs-meets-restore-time-target = { + description = "Checks if the restore time of Amazon Elastic File System (Amazon EFS) File Systems meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EFS File System is greater than maxRestoreTime minutes." + input_parameters = var.efs_meets_restore_time_target_parameters + resource_types_scope = ["AWS::EFS::FileSystem"] + severity = "Medium" + } + + efs-mount-target-public-accessible = { + description = "Checks if an Amazon Elastic File System (Amazon EFS) mount target is not associated with a public subnet. The rule is NON-COMPLIANT if the Amazon EFS mount target is associated with a public subnet." + resource_types_scope = ["AWS::EFS::FileSystem"] + severity = "Medium" + } + efs-resources-protected-by-backup-plan = { description = "Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the EFS File System is not covered by a backup plan." input_parameters = var.efs_resources_protected_by_backup_plan_parameters @@ -913,6 +1111,13 @@ locals { severity = "Medium" } + eks-cluster-log-enabled = { + description = "Checks if an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled or if logging is not enabled with the log type mentioned." + input_parameters = var.eks_cluster_log_enabled_parameters + resource_types_scope = ["AWS::EKS::Cluster"] + severity = "Medium" + } + eks-cluster-oldest-supported-version = { description = "Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version. The rule is NON_COMPLIANT if an EKS cluster is running oldest supported version (equal to the parameter oldestVersionSupported )." input_parameters = var.eks_cluster_oldest_supported_version_parameters @@ -920,28 +1125,37 @@ locals { severity = "Medium" } + eks-cluster-secrets-encrypted = { + description = "Checks if Amazon EKS clusters are configured to have Kubernetes secrets encrypted using AWS KMS. The rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig resource or if encryptionConfig does not name secrets as a resource." + input_parameters = var.eks_cluster_secrets_encrypted_parameters + resource_types_scope = ["AWS::EKS::Cluster"] + severity = "Medium" + } + eks-cluster-supported-version = { description = "Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version. This rule is NON_COMPLIANT if an EKS cluster is running an unsupported version (less than the parameter oldestVersionSupported )." input_parameters = var.eks_cluster_supported_version_parameters resource_types_scope = ["AWS::EKS::Cluster"] - severity = "Medium" + severity = "High" } eks-endpoint-no-public-access = { - description = "Checks if the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible." - severity = "Medium" + description = "Checks if the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible." + resource_types_scope = ["AWS::EKS::Cluster"] + severity = "High" } eks-secrets-encrypted = { - description = "Checks if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys." - input_parameters = var.eks_secrets_encrypted_parameters - severity = "Medium" + description = "Checks if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys." + input_parameters = var.eks_secrets_encrypted_parameters + resource_types_scope = ["AWS::EKS::Cluster"] + severity = "Medium" } elasticache-auto-minor-version-upgrade-check = { description = "Checks if Amazon ElastiCache for Redis clusters have auto minor version upgrades enabled. The rule is NON_COMPLIANT for an ElastiCache cluster if it is using the Redis engine and AutoMinorVersionUpgrade is not set to true ." resource_types_scope = ["AWS::ElastiCache::CacheCluster"] - severity = "Medium" + severity = "High" } elasticache-rbac-auth-enabled = { @@ -955,7 +1169,7 @@ locals { description = "Check if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter. For example: If the parameter is 15 then the..." input_parameters = var.elasticache_redis_cluster_automatic_backup_check_parameters resource_types_scope = ["AWS::ElastiCache::CacheCluster", "AWS::ElastiCache::ReplicationGroup"] - severity = "Medium" + severity = "High" } elasticache-repl-grp-auto-failover-enabled = { @@ -986,7 +1200,7 @@ locals { elasticache-subnet-group-check = { description = "Checks if Amazon ElastiCache clusters are configured with a custom subnet group. The rule is NON_COMPLIANT for an ElastiCache cluster if it is using a default subnet group." resource_types_scope = ["AWS::ElastiCache::CacheCluster"] - severity = "Medium" + severity = "High" } elasticache-supported-engine-version = { @@ -997,20 +1211,22 @@ locals { } elasticsearch-encrypted-at-rest = { - description = "Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled." - severity = "Medium" + description = "Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled." + resource_types_scope = ["AWS::Elasticsearch::Domain"] + severity = "Medium" } elasticsearch-in-vpc-only = { - description = "Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains are in Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public." - severity = "Critical" + description = "Checks if Amazon OpenSearch Service (previously called Elasticsearch) domains are in Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public." + resource_types_scope = ["AWS::Elasticsearch::Domain"] + severity = "Critical" } elasticsearch-logs-to-cloudwatch = { description = "Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is COMPLIANT if a log is enabled for an Amazon ES domain. This rule is NON_COMPLIANT if logging is not configured." input_parameters = var.elasticsearch_logs_to_cloudwatch_parameters resource_types_scope = ["AWS::Elasticsearch::Domain"] - severity = "Low" + severity = "Medium" } elasticsearch-node-to-node-encryption-check = { @@ -1023,24 +1239,25 @@ locals { description = "Checks if AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of StreamLogs is false." input_parameters = var.elastic_beanstalk_logs_to_cloudwatch_parameters resource_types_scope = ["AWS::ElasticBeanstalk::Environment"] - severity = "Medium" + severity = "High" } elastic-beanstalk-managed-updates-enabled = { description = "Checks if managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a..." input_parameters = var.elastic_beanstalk_managed_updates_enabled_parameters resource_types_scope = ["AWS::ElasticBeanstalk::Environment"] - severity = "Medium" + severity = "High" } elbv2-acm-certificate-required = { - description = "Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured..." - input_parameters = var.elbv2_acm_certificate_required_parameters - severity = "Medium" + description = "Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured..." + input_parameters = var.elbv2_acm_certificate_required_parameters + resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"] + severity = "Medium" } elbv2-multiple-az = { - description = "Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZ s). The rule is NON_COMPLIANT if an Elastic Load Balancer V2 has instances registered in less than 2 AZ's." + description = "Checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) is mapped to multiple Availability Zones (AZs).The rule is NON_COMPLIANT if an Elastic Load Balancer V2 is mapped to less than 2 AZs.For more information, see..." input_parameters = var.elbv2_multiple_az_parameters resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"] severity = "Medium" @@ -1049,7 +1266,7 @@ locals { elb-acm-certificate-required = { description = "Checks if the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load Balancers. This rule does not..." resource_types_scope = ["AWS::ElasticLoadBalancing::LoadBalancer"] - severity = "Low" + severity = "Medium" } elb-cross-zone-load-balancing-enabled = { @@ -1091,15 +1308,22 @@ locals { severity = "Medium" } + emr-block-public-access = { + description = "Checks if an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges." + resource_types_scope = ["AWS::::Account"] + severity = "Critical" + } + emr-kerberos-enabled = { - description = "Checks if Amazon EMR clusters have Kerberos enabled. The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters." - input_parameters = var.emr_kerberos_enabled_parameters - severity = "Medium" + description = "Checks if Amazon EMR clusters have Kerberos enabled. The rule is NON_COMPLIANT if a security configuration is not attached to the cluster or the security configuration does not satisfy the specified rule parameters." + input_parameters = var.emr_kerberos_enabled_parameters + resource_types_scope = ["AWS::EMR::Cluster"] + severity = "Medium" } emr-master-no-public-ip = { description = "Checks if Amazon EMR clusters master nodes have public IPs. The rule is NON_COMPLIANT if the master node has a public IP." - resource_types_scope = ["AWS::EMR::Cluster"] + resource_types_scope = ["AWS::EMR::Cluster", "AWS::EC2::Instance"] severity = "High" } @@ -1138,32 +1362,105 @@ locals { severity = "Medium" } - fsx-resources-protected-by-backup-plan = { - description = "Checks if Amazon FSx File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon FSx File System is not covered by a backup plan." - input_parameters = var.fsx_resources_protected_by_backup_plan_parameters + fsx-lustre-copy-tags-to-backups = { + description = "Checks if the Amazon FSx for Lustre file systems are configured to copy tags to backups. The rule is NON_COMPLIANT if Lustre file systems are not configured to copy tags to backups." resource_types_scope = ["AWS::FSx::FileSystem"] - severity = "Medium" + severity = "Low" } - guardduty-enabled-centralized = { + fsx-meets-restore-time-target = { + description = "Checks if the restore time of Amazon FSx File Systems meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon FSx File System is greater than maxRestoreTime minutes." + input_parameters = var.fsx_meets_restore_time_target_parameters + resource_types_scope = ["AWS::FSx::FileSystem"] + severity = "Medium" + } + + fsx-openzfs-copy-tags-enabled = { + description = "Checks if the Amazon FSx for OpenZFS file systems are configured to copy tags to backups and volumes. The rule is NON_COMPLIANT if FSx for OpenZFS file systems are not configured to copy tags to backups and volumes." + resource_types_scope = ["AWS::FSx::FileSystem"] + severity = "Low" + } + + fsx-resources-protected-by-backup-plan = { + description = "Checks if Amazon FSx File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon FSx File System is not covered by a backup plan." + input_parameters = var.fsx_resources_protected_by_backup_plan_parameters + resource_types_scope = ["AWS::FSx::FileSystem"] + severity = "Medium" + } + + fsx-windows-audit-log-configured = { + description = "Checks if the Amazon FSx for Windows File Server file systems have file access auditing enabled. The rule is NON_COMPLIANT if the FSx for Windows File Server file systems do not have file access auditing enabled." + resource_types_scope = ["AWS::FSx::FileSystem"] + severity = "Medium" + } + + global-endpoint-event-replication-enabled = { + description = "Checks if event replication is enabled for Amazon EventBridge global endpoints. The rule is NON_COMPLIANT if event replication is not enabled." + resource_types_scope = ["AWS::Events::Endpoint"] + severity = "Medium" + } + + guardduty-eks-protection-audit-enabled = { + description = "Checks if Audit Log Monitoring for Amazon Elastic Kubernetes Service (Amazon EKS) is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the EKS Audit Log Monitoring feature is not enabled for your account." + resource_types_scope = ["AWS::GuardDuty::Detector"] + severity = "Medium" + } + + guardduty-eks-protection-runtime-enabled = { + description = "Checks if Amazon EKS Runtime Monitoring with automated agent management is enabled for GuardDuty detector in your account. The rule is NON_COMPLIANT if EKS Runtime Monitoring with automated agent management in GuardDuty is not enabled for your account." + resource_types_scope = ["AWS::GuardDuty::Detector"] + severity = "Low" + } + + guardduty-enabled-centralized = { description = "Checks if Amazon GuardDuty is enabled in your AWS account and AWS Region. If you provide an AWS account for centralization, the rule evaluates the GuardDuty results in the centralized account. The rule is COMPLIANT when GuardDuty is enabled." input_parameters = var.guardduty_enabled_centralized_parameters severity = "High" } + guardduty-lambda-protection-enabled = { + description = "Checks if Lambda Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Lambda Protection feature in Amazon GuardDuty is not enabled for your account." + resource_types_scope = ["AWS::GuardDuty::Detector"] + severity = "Medium" + } + + guardduty-malware-protection-enabled = { + description = "Checks if Malware Protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Malware Protection feature in Amazon GuardDuty is not enabled for your account." + resource_types_scope = ["AWS::GuardDuty::Detector"] + severity = "Medium" + } + guardduty-non-archived-findings = { description = "Checks if Amazon GuardDuty has findings that are non-archived. The rule is NON_COMPLIANT if GuardDuty has non-archived low/medium/high severity findings older than the specified number in the daysLowSev/daysMediumSev/ daysHighSev parameter." input_parameters = var.guardduty_non_archived_findings_parameters severity = "Medium" } + guardduty-rds-protection-enabled = { + description = "Checks if Amazon Relational Database Service (Amazon RDS) protection is enabled for an Amazon GuardDuty detector in your account. The rule is NON_COMPLIANT if the Amazon RDS protection feature in Amazon GuardDuty is not enabled for you account." + resource_types_scope = ["AWS::GuardDuty::Detector"] + severity = "Medium" + } + + guardduty-s3-protection-enabled = { + description = "Checks if S3 Protection is enabled for an Amazon GuardDuty Detector in your account. The rule is NON_COMPLIANT if the S3 Protection feature in Amazon GuardDuty is not enabled for your account." + resource_types_scope = ["AWS::GuardDuty::Detector"] + severity = "Medium" + } + iam-customer-policy-blocked-kms-actions = { - description = "Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy." + description = "Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy." input_parameters = var.iam_customer_policy_blocked_kms_actions_parameters resource_types_scope = ["AWS::IAM::Policy"] severity = "Medium" } + iam-external-access-analyzer-enabled = { + description = "Checks if an IAM Access Analyzer for external access is activated in your account per region. The rule is NON_COMPLIANT if there are no analyzers for external access in the region or if the status attribute is not set to ACTIVE ." + resource_types_scope = ["AWS::::Account"] + severity = "High" + } + iam-group-has-users-check = { description = "Checks whether IAM groups have at least one IAM user." resource_types_scope = ["AWS::IAM::Group"] @@ -1197,9 +1494,10 @@ locals { } iam-policy-in-use = { - description = "Checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity." - input_parameters = var.iam_policy_in_use_parameters - severity = "Medium" + description = "Checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity." + input_parameters = var.iam_policy_in_use_parameters + resource_types_scope = ["AWS::IAM::Policy"] + severity = "Low" } iam-policy-no-statements-with-admin-access = { @@ -1217,7 +1515,7 @@ locals { } iam-role-managed-policy-check = { - description = "Checks if all AWS managed policies specified in the list of managed policies are attached to the AWS Identity and Access Management (IAM) role. The rule is NON_COMPLIANT if an AWS managed policy is not attached to the IAM role." + description = "Checks if all managed policies specified in the list of managed policies are attached to the AWS Identity and Access Management (IAM) role. The rule is NON_COMPLIANT if a managed policy is not attached to the IAM role." input_parameters = var.iam_role_managed_policy_check_parameters resource_types_scope = ["AWS::IAM::Role"] severity = "Medium" @@ -1228,6 +1526,12 @@ locals { severity = "Critical" } + iam-server-certificate-expiration-check = { + description = "Checks if AWS IAM SSL/TLS server certificates stored in IAM are expired. The rule is NON_COMPLIANT if an IAM server certificate is expired." + resource_types_scope = ["AWS::IAM::ServerCertificate"] + severity = "Medium" + } + iam-user-group-membership-check = { description = "Checks whether IAM users are members of at least one IAM group." input_parameters = var.iam_user_group_membership_check_parameters @@ -1236,8 +1540,9 @@ locals { } iam-user-mfa-enabled = { - description = "Checks if the AWS Identity and Access Management (IAM) users have multi-factor authentication (MFA) enabled. The rule is NON_COMPLIANT if MFA is not enabled for at least one IAM user." - severity = "Medium" + description = "Checks if the AWS Identity and Access Management (IAM) users have multi-factor authentication (MFA) enabled. The rule is NON_COMPLIANT if MFA is not enabled for at least one IAM user." + resource_types_scope = ["AWS::IAM::User"] + severity = "Medium" } iam-user-no-policies-check = { @@ -1247,20 +1552,45 @@ locals { } iam-user-unused-credentials-check = { - description = "Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. The rule is NON_COMPLIANT if there are inactive accounts not recently used." - input_parameters = var.iam_user_unused_credentials_check_parameters - severity = "Medium" + description = "Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. The rule is NON_COMPLIANT if there are inactive accounts not recently used." + input_parameters = var.iam_user_unused_credentials_check_parameters + resource_types_scope = ["AWS::IAM::User"] + severity = "Medium" } - incoming-ssh-disabled = { - description = "Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0). This rule applies only to IPv4." + restricted-ssh = { + description = "Checks if the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT." resource_types_scope = ["AWS::EC2::SecurityGroup"] severity = "High" } - instances-in-vpc = { + inspector-ec2-scan-enabled = { + description = "Checks if Amazon Inspector V2 EC2 scanning is activated for your single or multi-account environment to detect potential vulnerabilities and network reachability issues on your EC2 instances. The rule is NON_COMPLIANT if EC2 scanning is not activated." + resource_types_scope = ["AWS::::Account"] + severity = "Medium" + } + + inspector-ecr-scan-enabled = { + description = "Checks if Amazon Inspector V2 ECR scanning is activated for your single or multi-account environment to detect potential software vulnerabilities in your container images. The rule is NON_COMPLIANT if ECR scanning is not activated." + resource_types_scope = ["AWS::::Account"] + severity = "Medium" + } + + inspector-lambda-code-scan-enabled = { + description = "Checks if Amazon Inspector V2 Lambda code scanning is activated for your single or multi-account environment to detect potential code vulnerabilities. The rule is NON_COMPLIANT if Lambda code scanning is not activated." + resource_types_scope = ["AWS::::Account"] + severity = "Medium" + } + + inspector-lambda-standard-scan-enabled = { + description = "Checks if Amazon Inspector V2 Lambda standard scanning is activated for your single or multi-account environment to detect potential software vulnerabilities. The rule is NON_COMPLIANT if Lambda standard scanning is not activated." + resource_types_scope = ["AWS::::Account"] + severity = "Medium" + } + + ec2-instances-in-vpc = { description = "Checks if your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to associate with your instances." - input_parameters = var.instances_in_vpc_parameters + input_parameters = var.ec2_instances_in_vpc_parameters resource_types_scope = ["AWS::EC2::Instance"] severity = "Medium" } @@ -1272,17 +1602,24 @@ locals { severity = "High" } + kinesis-firehose-delivery-stream-encrypted = { + description = "Checks if Amazon Kinesis Data Firehose delivery streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT if a Kinesis Data Firehose delivery stream is not encrypted at rest with server-side encryption." + input_parameters = var.kinesis_firehose_delivery_stream_encrypted_parameters + resource_types_scope = ["AWS::KinesisFirehose::DeliveryStream"] + severity = "Medium" + } + kinesis-stream-encrypted = { description = "Checks if Amazon Kinesis streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT for a Kinesis stream if StreamEncryption is not present." resource_types_scope = ["AWS::Kinesis::Stream"] - severity = "High" + severity = "Medium" } kms-cmk-not-scheduled-for-deletion = { - description = "Checks if AWS KMS keys are not scheduled for deletion in AWS Key Management Service (AWS KMS). The rule is NON_COMPLAINT if KMS keys are scheduled for deletion." + description = "Checks if AWS Key Management Service (AWS KMS) keys are not scheduled for deletion in AWS KMS. The rule is NON_COMPLIANT if KMS keys are scheduled for deletion." input_parameters = var.kms_cmk_not_scheduled_for_deletion_parameters resource_types_scope = ["AWS::KMS::Key"] - severity = "Critical" + severity = "Medium" } lambda-concurrency-check = { @@ -1306,7 +1643,7 @@ locals { } lambda-function-settings-check = { - description = "Checks if the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values. The rule ignores functions with the Image package type. The rule is NON_COMPLIANT if the Lambda function settings do not match the expected..." + description = "Checks if the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values. The rule ignores functions with the Image package type and functions with runtime set to OS-only Runtime . The rule is NON_COMPLIANT if the..." input_parameters = var.lambda_function_settings_check_parameters resource_types_scope = ["AWS::Lambda::Function"] severity = "Medium" @@ -1326,6 +1663,12 @@ locals { severity = "Medium" } + macie-auto-sensitive-data-discovery-check = { + description = "Checks if automated sensitive data discovery is enabled for Amazon Macie. The rule is NON_COMPLIANT if automated sensitive data discovery is disabled. The rule is APPLICABLE for administrator accounts and NOT_APPLICABLE for member accounts." + resource_types_scope = ["AWS::::Account"] + severity = "High" + } + macie-status-check = { description = "Checks if Amazon Macie is enabled in your account per region. The rule is NON_COMPLIANT if the status attribute is not set to ENABLED ." resource_types_scope = ["AWS::::Account"] @@ -1333,8 +1676,15 @@ locals { } mfa-enabled-for-iam-console-access = { - description = "Checks if AWS multi-factor authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled." - severity = "Medium" + description = "Checks if AWS multi-factor authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled." + resource_types_scope = ["AWS::IAM::User"] + severity = "Medium" + } + + mq-active-deployment-mode = { + description = "Checks the deployment mode configured for Amazon MQ ActiveMQ broker engine. The rule is NON_COMPLIANT if the default single-instance broker mode is being used." + resource_types_scope = ["AWS::AmazonMQ::Broker"] + severity = "Low" } mq-automatic-minor-version-upgrade-enabled = { @@ -1343,28 +1693,120 @@ locals { severity = "Medium" } + mq-auto-minor-version-upgrade-enabled = { + description = "Checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON_COMPLIANT if the AutoMinorVersionUpgrade field is not enabled for an Amazon MQ broker." + resource_types_scope = ["AWS::AmazonMQ::Broker"] + severity = "Low" + } + mq-cloudwatch-audit-logging-enabled = { description = "Checks if Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled." resource_types_scope = ["AWS::AmazonMQ::Broker"] severity = "Medium" } + mq-cloudwatch-audit-log-enabled = { + description = "Checks if an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled." + resource_types_scope = ["AWS::AmazonMQ::Broker"] + severity = "Medium" + } + mq-no-public-access = { description = "Checks if Amazon MQ brokers are not publicly accessible. The rule is NON_COMPLIANT if the PubliclyAccessible field is set to true for an Amazon MQ broker." resource_types_scope = ["AWS::AmazonMQ::Broker"] severity = "Medium" } - multi-region-cloud-trail-enabled = { + mq-rabbit-deployment-mode = { + description = "Checks the deployment mode configured for the Amazon MQ RabbitMQ broker engine. The rule is NON_COMPLIANT if the default single-instance broker mode is being used." + resource_types_scope = ["AWS::AmazonMQ::Broker"] + severity = "Low" + } + + msk-enhanced-monitoring-enabled = { + description = "Checks if enhanced monitoring is enabled for an Amazon MSK cluster set to PER_TOPIC_PER_BROKER or PER_TOPIC_PER_PARTITION. The rule is NON_COMPLIANT if enhanced monitoring is enabled and set to DEFAULT or PER_BROKER." + resource_types_scope = ["AWS::MSK::Cluster"] + severity = "Low" + } + + msk-in-cluster-node-require-tls = { + description = "Checks if an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections." + resource_types_scope = ["AWS::MSK::Cluster"] + severity = "Medium" + } + + multi-region-cloudtrail-enabled = { description = "Checks if there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters.The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to..." - input_parameters = var.multi_region_cloud_trail_enabled_parameters - severity = "Critical" + input_parameters = var.multi_region_cloudtrail_enabled_parameters + severity = "High" } nacl-no-unrestricted-ssh-rdp = { description = "Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389." resource_types_scope = ["AWS::EC2::NetworkAcl"] - severity = "High" + severity = "Medium" + } + + neptune-cluster-backup-retention-check = { + description = "Checks if an Amazon Neptune DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter." + input_parameters = var.neptune_cluster_backup_retention_check_parameters + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + neptune-cluster-cloudwatch-log-export-enabled = { + description = "Checks if an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + neptune-cluster-copy-tags-to-snapshot-enabled = { + description = "Checks if an Amazon Neptune cluster is configured to copy all tags to snapshots when the snapshots are created. The rule is NON_COMPLIANT if copyTagsToSnapshot is set to false." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Low" + } + + neptune-cluster-deletion-protection-enabled = { + description = "Checks if an Amazon Neptune DB cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster has the deletionProtection field set to false." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Low" + } + + neptune-cluster-encrypted = { + description = "Checks if storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON_COMPLIANT if storage encryption is not enabled." + input_parameters = var.neptune_cluster_encrypted_parameters + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + neptune-cluster-iam-database-authentication = { + description = "Checks if an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + neptune-cluster-multi-az-enabled = { + description = "Checks if an Amazon Neptune cluster is configured with Amazon RDS Multi-AZ replication. The rule is NON_COMPLIANT if Multi-AZ replication is not enabled." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + + neptune-cluster-snapshot-encrypted = { + description = "Checks if an Amazon Neptune DB cluster has snapshots encrypted. The rule is NON_COMPLIANT if a Neptune cluster does not have snapshots encrypted." + resource_types_scope = ["AWS::RDS::DBClusterSnapshot"] + severity = "Medium" + } + + neptune-cluster-snapshot-public-prohibited = { + description = "Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public." + resource_types_scope = ["AWS::RDS::DBClusterSnapshot"] + severity = "Critical" + } + + netfw-deletion-protection-enabled = { + description = "Checks if AWS Network Firewall has deletion protection enabled. The rule is NON_COMPLIANT if Network Firewall does not have deletion protection enabled." + resource_types_scope = ["AWS::NetworkFirewall::Firewall"] + severity = "Medium" } netfw-logging-enabled = { @@ -1385,20 +1827,20 @@ locals { description = "Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action." input_parameters = var.netfw_policy_default_action_fragment_packets_parameters resource_types_scope = ["AWS::NetworkFirewall::FirewallPolicy"] - severity = "High" + severity = "Medium" } netfw-policy-default-action-full-packets = { description = "Checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. This rule is NON_COMPLIANT if default stateless action for full packets does not match with user defined default stateless action." input_parameters = var.netfw_policy_default_action_full_packets_parameters resource_types_scope = ["AWS::NetworkFirewall::FirewallPolicy"] - severity = "High" + severity = "Medium" } netfw-policy-rule-group-associated = { description = "Check AWS Network Firewall policy is associated with stateful OR stateless rule groups. This rule is NON_COMPLIANT if no stateful or stateless rule groups are associated with the Network Firewall policy else COMPLIANT if any one of the rule group exists." resource_types_scope = ["AWS::NetworkFirewall::FirewallPolicy"] - severity = "High" + severity = "Medium" } netfw-stateless-rule-group-not-empty = { @@ -1442,20 +1884,20 @@ locals { opensearch-encrypted-at-rest = { description = "Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled." resource_types_scope = ["AWS::OpenSearch::Domain"] - severity = "High" + severity = "Medium" } opensearch-https-required = { description = "Checks whether connections to OpenSearch domains are using HTTPS. The rule is NON_COMPLIANT if the Amazon OpenSearch domain EnforceHTTPS is not true or is true and TLSSecurityPolicy is not in tlsPolicies ." input_parameters = var.opensearch_https_required_parameters resource_types_scope = ["AWS::OpenSearch::Domain"] - severity = "High" + severity = "Medium" } opensearch-in-vpc-only = { description = "Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public." resource_types_scope = ["AWS::OpenSearch::Domain"] - severity = "High" + severity = "Critical" } opensearch-logs-to-cloudwatch = { @@ -1468,7 +1910,25 @@ locals { opensearch-node-to-node-encryption-check = { description = "Check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is not enabled on the domain" resource_types_scope = ["AWS::OpenSearch::Domain"] - severity = "High" + severity = "Medium" + } + + opensearch-primary-node-fault-tolerance = { + description = "Checks if Amazon OpenSearch Service domains are configured with at least three dedicated primary nodes. The rule is NON_COMPLIANT for an OpenSearch Service domain if DedicatedMasterEnabled is set to false , or DedicatedMasterCount is less than 3." + resource_types_scope = ["AWS::OpenSearch::Domain"] + severity = "Medium" + } + + opensearch-update-check = { + description = "Checks if Amazon OpenSearch Service version updates are available but not installed. The rule is NON_COMPLIANT for an OpenSearch domain if the latest software updates are not installed." + resource_types_scope = ["AWS::OpenSearch::Domain"] + severity = "Low" + } + + rds-aurora-mysql-audit-logging-enabled = { + description = "Checks if Amazon Aurora MySQL-Compatible Edition clusters are configured to publish audit logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if Aurora MySQL-Compatible Edition clusters do not have audit log publishing configured." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" } rds-automatic-minor-version-upgrade-enabled = { @@ -1477,6 +1937,12 @@ locals { severity = "High" } + rds-cluster-auto-minor-version-upgrade-enable = { + description = "Checks if automatic minor version upgrades are enabled for Amazon RDS Multi-AZ cluster deployments. The rule is NON_COMPLIANT if autoMinorVersionUpgrade is set to false." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + rds-cluster-default-admin-check = { description = "Checks if an Amazon Relational Database Service (Amazon RDS) database cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username is set to the default value." input_parameters = var.rds_cluster_default_admin_check_parameters @@ -1490,6 +1956,12 @@ locals { severity = "Low" } + rds-cluster-encrypted-at-rest = { + description = "Checks if an Amazon Relational Database Service (Amazon RDS) cluster is encrypted at rest. The rule is NON_COMPLIANT if an Amazon RDS cluster is not encrypted at rest." + resource_types_scope = ["AWS::RDS::DBCluster"] + severity = "Medium" + } + rds-cluster-iam-authentication-enabled = { description = "Checks if an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled." resource_types_scope = ["AWS::RDS::DBCluster"] @@ -1503,7 +1975,7 @@ locals { } rds-db-security-group-not-allowed = { - description = "Checks if there are any Amazon Relational Database Service (RDS) DB security groups that are not the default DB security group. The rule is NON_COMPLIANT is there are any DB security groups that are not the default DB security group." + description = "Checks if there are any Amazon Relational Database Service (Amazon RDS) DB security groups that are not the default DB security group. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group." resource_types_scope = ["AWS::RDS::DBSecurityGroup"] severity = "Medium" } @@ -1526,7 +1998,7 @@ locals { description = "Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled; for example, deletionProtection is set to false." input_parameters = var.rds_instance_deletion_protection_enabled_parameters resource_types_scope = ["AWS::RDS::DBInstance"] - severity = "Medium" + severity = "Low" } rds-instance-iam-authentication-enabled = { @@ -1542,15 +2014,16 @@ locals { } rds-in-backup-plan = { - description = "Checks if Amazon Relational Database Service (Amazon RDS) databases are present in AWS Backup plans. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan." - severity = "Medium" + description = "Checks if Amazon Relational Database Service (Amazon RDS) databases are present in AWS Backup plans. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan." + resource_types_scope = ["AWS::RDS::DBInstance"] + severity = "Medium" } rds-last-backup-recovery-point-created = { description = "Checks if a recovery point was created for Amazon Relational Database Service (Amazon RDS). The rule is NON_COMPLIANT if the Amazon RDS instance does not have a corresponding recovery point created within the specified time period." input_parameters = var.rds_last_backup_recovery_point_created_parameters resource_types_scope = ["AWS::RDS::DBInstance"] - severity = "High" + severity = "Medium" } rds-logging-enabled = { @@ -1560,6 +2033,13 @@ locals { severity = "Medium" } + rds-meets-restore-time-target = { + description = "Checks if the restore time of Amazon Relational Database Service (Amazon RDS) instances meets specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon RDS instance is greater than maxRestoreTime minutes." + input_parameters = var.rds_meets_restore_time_target_parameters + resource_types_scope = ["AWS::RDS::DBInstance"] + severity = "Medium" + } + rds-multi-az-support = { description = "Checks whether high availability is enabled for your RDS DB instances." resource_types_scope = ["AWS::RDS::DBInstance"] @@ -1650,25 +2130,31 @@ locals { redshift-enhanced-vpc-routing-enabled = { description = "Checks if Amazon Redshift cluster has enhancedVpcRouting enabled. The rule is NON_COMPLIANT if enhancedVpcRouting is not enabled or if the configuration.enhancedVpcRouting field is false ." resource_types_scope = ["AWS::Redshift::Cluster"] - severity = "High" + severity = "Medium" } redshift-require-tls-ssl = { description = "Checks if Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true." - resource_types_scope = ["AWS::Redshift::Cluster"] + resource_types_scope = ["AWS::Redshift::Cluster", "AWS::Redshift::ClusterParameterGroup"] severity = "Medium" } + redshift-unrestricted-port-access = { + description = "Checks if security groups associated with an Amazon Redshift cluster have inbound rules that allow unrestricted incoming traffic. The rule is NON_COMPLIANT if there are inbound rules that allow unrestricted incoming traffic to the Redshift cluster port." + resource_types_scope = ["AWS::Redshift::Cluster"] + severity = "High" + } + required-tags = { - description = "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag. Separate multiple values with commas.You can check up to 6 tags at a time." + description = "Checks if your resources have the tags that you specify. For example, you can check whether your Amazon EC2 instances have the CostCenter tag,while also checking if all your RDS instance have one set of Keys tag. Separate multiple values with commas.You..." input_parameters = var.required_tags_parameters resource_types_scope = ["AWS::ACM::Certificate", "AWS::AutoScaling::AutoScalingGroup", "AWS::CloudFormation::Stack", "AWS::CodeBuild::Project", "AWS::DynamoDB::Table", "AWS::EC2::CustomerGateway", "AWS::EC2::Instance", "AWS::EC2::InternetGateway", "AWS::EC2::NetworkAcl", "AWS::EC2::NetworkInterface", "AWS::EC2::RouteTable", "AWS::EC2::SecurityGroup", "AWS::EC2::Subnet", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::EC2::VPNConnection", "AWS::EC2::VPNGateway", "AWS::ElasticLoadBalancing::LoadBalancer", "AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::RDS::DBInstance", "AWS::RDS::DBSecurityGroup", "AWS::RDS::DBSnapshot", "AWS::RDS::DBSubnetGroup", "AWS::RDS::EventSubscription", "AWS::Redshift::Cluster", "AWS::Redshift::ClusterParameterGroup", "AWS::Redshift::ClusterSecurityGroup", "AWS::Redshift::ClusterSnapshot", "AWS::Redshift::ClusterSubnetGroup", "AWS::S3::Bucket"] severity = "Medium" } - restricted-incoming-traffic = { - description = "Checks if the security groups in use do not allow unrestricted incoming Transmission Control Protocol (TCP) traffic to the specified ports for IPv4. The rule is COMPLIANT if IP addresses for inbound TCP connections are restricted to the specified ports." - input_parameters = var.restricted_incoming_traffic_parameters + restricted-common-ports = { + description = "Checks if the security groups in use do not allow unrestricted incoming Transmission Control Protocol (TCP) traffic to specified ports. The rule is COMPLIANT if:" + input_parameters = var.restricted_common_ports_parameters resource_types_scope = ["AWS::EC2::SecurityGroup"] severity = "High" } @@ -1683,6 +2169,25 @@ locals { severity = "Critical" } + route53-query-logging-enabled = { + description = "Checks if DNS query logging is enabled for your Amazon Route 53 public hosted zones. The rule is NON_COMPLIANT if DNS query logging is not enabled for your Amazon Route 53 public hosted zones." + resource_types_scope = ["AWS::Route53::HostedZone"] + severity = "Medium" + } + + s3-access-point-in-vpc-only = { + description = "Checks if an Amazon S3 access point does not allow access from the internet (NetworkOrigin is VPC). The rule is NON_COMPLIANT if NetworkOrigin is Internet." + resource_types_scope = ["AWS::S3::AccessPoint"] + severity = "Medium" + } + + s3-access-point-public-access-blocks = { + description = "Checks if Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points." + input_parameters = var.s3_access_point_public_access_blocks_parameters + resource_types_scope = ["AWS::S3::AccessPoint"] + severity = "Critical" + } + s3-account-level-public-access-blocks = { description = "Checks if the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item." input_parameters = var.s3_account_level_public_access_blocks_parameters @@ -1691,9 +2196,10 @@ locals { } s3-account-level-public-access-blocks-periodic = { - description = "Checks if the required public access block settings are configured at the account level. The rule is NON_COMPLAINT if the configuration item does not match one or more settings from parameters (or default)." - input_parameters = var.s3_account_level_public_access_blocks_periodic_parameters - severity = "Medium" + description = "Checks if the required public access block settings are configured at the account level. The rule is NON_COMPLIANT if the configuration item does not match one or more settings from parameters (or default)." + input_parameters = var.s3_account_level_public_access_blocks_periodic_parameters + resource_types_scope = ["AWS::::Account"] + severity = "Medium" } s3-bucket-acl-prohibited = { @@ -1706,6 +2212,12 @@ locals { description = "Checks if an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts.For example, the rule checks that the Amazon S3..." input_parameters = var.s3_bucket_blacklisted_actions_prohibited_parameters resource_types_scope = ["AWS::S3::Bucket"] + severity = "Medium" + } + + s3-bucket-cross-region-replication-enabled = { + description = "Checks if you have enabled S3 Cross-Region Replication for your Amazon S3 buckets. The rule is NON_COMPLIANT if there are no replication rules enabled for Cross-Region Replication." + resource_types_scope = ["AWS::S3::Bucket"] severity = "High" } @@ -1720,7 +2232,7 @@ locals { description = "Checks if S3 buckets are publicly accessible. The rule is NON_COMPLIANT if an S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public." input_parameters = var.s3_bucket_level_public_access_prohibited_parameters resource_types_scope = ["AWS::S3::Bucket"] - severity = "Critical" + severity = "High" } s3-bucket-logging-enabled = { @@ -1730,6 +2242,12 @@ locals { severity = "Medium" } + s3-bucket-mfa-delete-enabled = { + description = "Checks if MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled." + resource_types_scope = ["AWS::S3::Bucket"] + severity = "Low" + } + s3-bucket-policy-grantee-check = { description = "Checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present." input_parameters = var.s3_bucket_policy_grantee_check_parameters @@ -1779,13 +2297,13 @@ locals { description = "Checks if versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets." input_parameters = var.s3_bucket_versioning_enabled_parameters resource_types_scope = ["AWS::S3::Bucket"] - severity = "Medium" + severity = "Low" } s3-default-encryption-kms = { description = "Checks if the S3 buckets are encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the S3 bucket is not encrypted with an AWS KMS key." input_parameters = var.s3_default_encryption_kms_parameters - resource_types_scope = ["AWS::S3::Bucket"] + resource_types_scope = ["AWS::S3::Bucket", "AWS::KMS::Key"] severity = "Medium" } @@ -1793,7 +2311,7 @@ locals { description = "Checks if Amazon S3 Events Notifications are enabled on an S3 bucket. The rule is NON_COMPLIANT if S3 Events Notifications are not set on a bucket, or if the event type or destination do not match the eventTypes and destinationArn parameters." input_parameters = var.s3_event_notifications_enabled_parameters resource_types_scope = ["AWS::S3::Bucket"] - severity = "Low" + severity = "Medium" } s3-last-backup-recovery-point-created = { @@ -1807,6 +2325,13 @@ locals { description = "Checks if a lifecycle rule is configured for an Amazon Simple Storage Service (Amazon S3) bucket. The rule is NON_COMPLIANT if there is no active lifecycle configuration rules or the configuration does not match with the parameter values." input_parameters = var.s3_lifecycle_policy_check_parameters resource_types_scope = ["AWS::S3::Bucket"] + severity = "Low" + } + + s3-meets-restore-time-target = { + description = "Checks if the restore time of Amazon Simple Storage Service (Amazon S3) buckets meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon S3 bucket is greater than maxRestoreTime minutes." + input_parameters = var.s3_meets_restore_time_target_parameters + resource_types_scope = ["AWS::S3::Bucket"] severity = "Medium" } @@ -1825,33 +2350,42 @@ locals { } sagemaker-endpoint-configuration-kms-key-configured = { - description = "Checks if AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON_COMPLIANT if KmsKeyId is not specified for the Amazon SageMaker endpoint configuration." - input_parameters = var.sagemaker_endpoint_configuration_kms_key_configured_parameters - severity = "Medium" + description = "Checks if AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker endpoint configuration. The rule is NON_COMPLIANT if KmsKeyId is not specified for the Amazon SageMaker endpoint configuration." + input_parameters = var.sagemaker_endpoint_configuration_kms_key_configured_parameters + resource_types_scope = ["AWS::SageMaker::EndpointConfig"] + severity = "Medium" + } + + sagemaker-endpoint-config-prod-instance-count = { + description = "Checks if Amazon SageMaker endpoint configurations have production variants InitialInstanceCount set to a value greater than 1. The rule is NON_COMPLIANT if production variants InitialInstanceCount is equal to 1." + resource_types_scope = ["AWS::SageMaker::EndpointConfig"] + severity = "Medium" } sagemaker-notebook-instance-inside-vpc = { description = "Checks if an Amazon SageMaker notebook instance is launched within a VPC or within a list of approved subnets. The rule is NON_COMPLIANT if a notebook instance is not launched within a VPC or if its subnet ID is not included in the parameter list." input_parameters = var.sagemaker_notebook_instance_inside_vpc_parameters resource_types_scope = ["AWS::SageMaker::NotebookInstance"] - severity = "Medium" + severity = "High" } sagemaker-notebook-instance-kms-key-configured = { - description = "Checks if an AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if KmsKeyId is not specified for the SageMaker notebook instance." - input_parameters = var.sagemaker_notebook_instance_kms_key_configured_parameters - severity = "Medium" + description = "Checks if an AWS Key Management Service (AWS KMS) key is configured for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if KmsKeyId is not specified for the SageMaker notebook instance." + input_parameters = var.sagemaker_notebook_instance_kms_key_configured_parameters + resource_types_scope = ["AWS::SageMaker::NotebookInstance"] + severity = "Medium" } sagemaker-notebook-instance-root-access-check = { description = "Checks if the Amazon SageMaker RootAccess setting is enabled for Amazon SageMaker notebook instances. The rule is NON_COMPLIANT if the RootAccess setting is set to Enabled for an Amazon SageMaker notebook instance." resource_types_scope = ["AWS::SageMaker::NotebookInstance"] - severity = "Medium" + severity = "High" } sagemaker-notebook-no-direct-internet-access = { - description = "Checks if direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if a SageMaker notebook instance is internet-enabled." - severity = "High" + description = "Checks if direct internet access is disabled for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if a SageMaker notebook instance is internet-enabled." + resource_types_scope = ["AWS::SageMaker::NotebookInstance"] + severity = "High" } secretsmanager-rotation-enabled-check = { @@ -1868,15 +2402,17 @@ locals { } secretsmanager-secret-periodic-rotation = { - description = "Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days." - input_parameters = var.secretsmanager_secret_periodic_rotation_parameters - severity = "Medium" + description = "Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days." + input_parameters = var.secretsmanager_secret_periodic_rotation_parameters + resource_types_scope = ["AWS::SecretsManager::Secret"] + severity = "Medium" } secretsmanager-secret-unused = { - description = "Checks if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in unusedForDays number of days. The default value is 90 days." - input_parameters = var.secretsmanager_secret_unused_parameters - severity = "Medium" + description = "Checks if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in unusedForDays number of days. The default value is 90 days." + input_parameters = var.secretsmanager_secret_unused_parameters + resource_types_scope = ["AWS::SecretsManager::Secret"] + severity = "Medium" } secretsmanager-using-cmk = { @@ -1897,10 +2433,17 @@ locals { severity = "Medium" } + service-catalog-shared-within-organization = { + description = "Checks if AWS Service Catalog shares portfolios to an organization (a collection of AWS accounts treated as a single unit) when integration is enabled with AWS Organizations. The rule is NON_COMPLIANT if the Type value of a share is ACCOUNT ." + resource_types_scope = ["AWS::ServiceCatalog::Portfolio"] + severity = "Medium" + } + service-vpc-endpoint-enabled = { - description = "Checks if Service Endpoint for the service provided in rule parameter is created for each Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an Amazon VPC doesn t have an Amazon VPC endpoint created for the service." - input_parameters = var.service_vpc_endpoint_enabled_parameters - severity = "Medium" + description = "Checks if Service Endpoint for the service provided in rule parameter is created for each Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an Amazon VPC doesn t have an Amazon VPC endpoint created for the service." + input_parameters = var.service_vpc_endpoint_enabled_parameters + resource_types_scope = ["AWS::EC2::VPC"] + severity = "Medium" } ses-malware-scanning-enabled = { @@ -1920,7 +2463,7 @@ locals { } sns-encrypted-kms = { - description = "Checks if an SNS topic is encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the SNS topic is not encrypted with AWS KMS or if a KMS key ID used to encrypt the SNS topic is not present in the kmsKeyIds input parameter." + description = "Checks if SNS topics are encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if an SNS topic is not encrypted with AWS KMS. Optionally, specify the key ARNs, the alias ARNs, the alias name, or the key IDs for the rule to check." input_parameters = var.sns_encrypted_kms_parameters resource_types_scope = ["AWS::SNS::Topic"] severity = "Medium" @@ -1929,12 +2472,13 @@ locals { sns-topic-message-delivery-notification-enabled = { description = "Checks if Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled." resource_types_scope = ["AWS::SNS::Topic"] - severity = "Low" + severity = "Medium" } ssm-document-not-public = { - description = "Checks if AWS Systems Manager documents owned by the account are public. The rule is NON_COMPLIANT if Systems Manager documents with the owner Self are public." - severity = "Critical" + description = "Checks if AWS Systems Manager documents owned by the account are public. The rule is NON_COMPLIANT if Systems Manager documents with the owner Self are public." + resource_types_scope = ["AWS::SSM::Document"] + severity = "Critical" } step-functions-state-machine-logging-enabled = { @@ -1964,6 +2508,12 @@ locals { severity = "Medium" } + transfer-family-server-no-ftp = { + description = "Checks if a server created with AWS Transfer Family uses FTP for endpoint connection. The rule is NON_COMPLIANT if the server protocol for endpoint connection is FTP-enabled." + resource_types_scope = ["AWS::Transfer::Server"] + severity = "Medium" + } + virtualmachine-last-backup-recovery-point-created = { description = "Checks if a recovery point was created for AWS Backup-Gateway VirtualMachines. The rule is NON_COMPLIANT if an AWS Backup-Gateway VirtualMachines does not have a corresponding recovery point created within the specified time period." input_parameters = var.virtualmachine_last_backup_recovery_point_created_parameters @@ -1985,9 +2535,10 @@ locals { } vpc-flow-logs-enabled = { - description = "Checks if Amazon Virtual Private Cloud (Amazon VPC) flow logs are found and enabled for all Amazon VPCs. The rule is NON_COMPLIANT if flow logs are not enabled for at least one Amazon VPC." - input_parameters = var.vpc_flow_logs_enabled_parameters - severity = "Medium" + description = "Checks if Amazon Virtual Private Cloud (Amazon VPC) flow logs are found and enabled for all Amazon VPCs. The rule is NON_COMPLIANT if flow logs are not enabled for at least one Amazon VPC." + input_parameters = var.vpc_flow_logs_enabled_parameters + resource_types_scope = ["AWS::EC2::VPC"] + severity = "Medium" } vpc-network-acl-unused-check = { @@ -2010,6 +2561,13 @@ locals { severity = "High" } + vpc-sg-port-restriction-check = { + description = "Checks if security groups restrict incoming traffic to restricted ports explicitly from 0.0.0.0/0 or ::/0. The rule is NON_COMPLIANT if security groups allow incoming traffic from 0.0.0.0/0 or ::/0 over TCP/UDP ports 22/3389 or as specified in parameters." + input_parameters = var.vpc_sg_port_restriction_check_parameters + resource_types_scope = ["AWS::EC2::SecurityGroup"] + severity = "High" + } + vpc-vpn-2-tunnels-up = { description = "Checks if both virtual private network (VPN) tunnels provided by AWS Site-to-Site VPN are in UP status. The rule is NON_COMPLIANT if one or both tunnels are in DOWN status." resource_types_scope = ["AWS::EC2::VPNConnection"] @@ -2017,9 +2575,16 @@ locals { } wafv2-logging-enabled = { - description = "Checks if logging is enabled on AWS WAFv2 regional and global web access control lists (web ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter." - input_parameters = var.wafv2_logging_enabled_parameters - severity = "Medium" + description = "Checks if logging is enabled on AWS WAFv2 regional and global web access control lists (web ACLs). The rule is NON_COMPLIANT if the logging is enabled but the logging destination does not match the value of the parameter." + input_parameters = var.wafv2_logging_enabled_parameters + resource_types_scope = ["AWS::WAFv2::WebACL"] + severity = "Low" + } + + wafv2-rulegroup-logging-enabled = { + description = "Checks if Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the VisibilityConfig.CloudWatchMetricsEnabled field is set to false." + resource_types_scope = ["AWS::WAFv2::RuleGroup"] + severity = "Medium" } wafv2-rulegroup-not-empty = { @@ -2035,9 +2600,10 @@ locals { } waf-classic-logging-enabled = { - description = "Checks if logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled." - input_parameters = var.waf_classic_logging_enabled_parameters - severity = "Medium" + description = "Checks if logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled." + input_parameters = var.waf_classic_logging_enabled_parameters + resource_types_scope = ["AWS::WAF::WebACL"] + severity = "Medium" } waf-global-rulegroup-not-empty = { diff --git a/managed_rules_variables.tf b/managed_rules_variables.tf index d907eb1..6ca6a21 100644 --- a/managed_rules_variables.tf +++ b/managed_rules_variables.tf @@ -28,6 +28,14 @@ variable "acm_certificate_expiration_check_parameters" { } +variable "acm_pca_root_ca_disabled_parameters" { + description = "Input parameters for the acm-pca-root-ca-disabled rule." + type = object({ + exemptedCAArns = optional(string, null) + }) + default = {} +} + variable "alb_desync_mode_check_parameters" { description = "Input parameters for the alb-desync-mode-check rule." type = object({ @@ -114,6 +122,14 @@ variable "appsync_associated_with_waf_parameters" { default = {} } +variable "appsync_authorization_check_parameters" { + description = "Input parameters for the appsync-authorization-check rule." + type = object({ + AllowedAuthorizationTypes = optional(string, null) + }) + default = {} +} + variable "appsync_logging_enabled_parameters" { description = "Input parameters for the appsync-logging-enabled rule." type = object({ @@ -137,6 +153,16 @@ variable "aurora_last_backup_recovery_point_created_parameters" { } +variable "aurora_meets_restore_time_target_parameters" { + description = "Input parameters for the aurora-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "aurora_mysql_backtracking_enabled_parameters" { description = "Input parameters for the aurora-mysql-backtracking-enabled rule." type = object({ @@ -322,8 +348,8 @@ variable "cloud_trail_cloud_watch_logs_enabled_parameters" { default = {} } -variable "cloud_trail_enabled_parameters" { - description = "Input parameters for the cloud-trail-enabled rule." +variable "cloudtrail_enabled_parameters" { + description = "Input parameters for the cloudtrail-enabled rule." type = object({ cloudWatchLogsLogGroupArn = optional(string, null) s3BucketName = optional(string, null) @@ -427,6 +453,22 @@ variable "desired_instance_type_parameters" { default = {} } +variable "docdb_cluster_backup_retention_check_parameters" { + description = "Input parameters for the docdb-cluster-backup-retention-check rule." + type = object({ + minimumBackupRetentionPeriod = optional(number, null) + }) + default = {} +} + +variable "docdb_cluster_encrypted_parameters" { + description = "Input parameters for the docdb-cluster-encrypted rule." + type = object({ + kmsKeyArns = optional(string, null) + }) + default = {} +} + variable "dynamodb_autoscaling_enabled_parameters" { description = "Input parameters for the dynamodb-autoscaling-enabled rule." type = object({ @@ -455,6 +497,16 @@ variable "dynamodb_last_backup_recovery_point_created_parameters" { } +variable "dynamodb_meets_restore_time_target_parameters" { + description = "Input parameters for the dynamodb-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "dynamodb_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the dynamodb-resources-protected-by-backup-plan rule." type = object({ @@ -505,6 +557,16 @@ variable "ebs_last_backup_recovery_point_created_parameters" { } +variable "ebs_meets_restore_time_target_parameters" { + description = "Input parameters for the ebs-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "ebs_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the ebs-resources-protected-by-backup-plan rule." type = object({ @@ -596,6 +658,16 @@ variable "ec2_managedinstance_platform_check_parameters" { default = {} } +variable "ec2_meets_restore_time_target_parameters" { + description = "Input parameters for the ec2-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "ec2_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the ec2-resources-protected-by-backup-plan rule." type = object({ @@ -702,6 +774,16 @@ variable "efs_last_backup_recovery_point_created_parameters" { } +variable "efs_meets_restore_time_target_parameters" { + description = "Input parameters for the efs-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "efs_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the efs-resources-protected-by-backup-plan rule." type = object({ @@ -716,6 +798,14 @@ variable "efs_resources_protected_by_backup_plan_parameters" { default = {} } +variable "eks_cluster_log_enabled_parameters" { + description = "Input parameters for the eks-cluster-log-enabled rule." + type = object({ + logTypes = optional(string, null) + }) + default = {} +} + variable "eks_cluster_oldest_supported_version_parameters" { description = "Input parameters for the eks-cluster-oldest-supported-version rule." type = object({ @@ -724,6 +814,14 @@ variable "eks_cluster_oldest_supported_version_parameters" { default = {} } +variable "eks_cluster_secrets_encrypted_parameters" { + description = "Input parameters for the eks-cluster-secrets-encrypted rule." + type = object({ + kmsKeyArns = optional(string, null) + }) + default = {} +} + variable "eks_cluster_supported_version_parameters" { description = "Input parameters for the eks-cluster-supported-version rule." type = object({ @@ -911,6 +1009,16 @@ variable "fsx_last_backup_recovery_point_created_parameters" { } +variable "fsx_meets_restore_time_target_parameters" { + description = "Input parameters for the fsx-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "fsx_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the fsx-resources-protected-by-backup-plan rule." type = object({ @@ -1053,8 +1161,8 @@ variable "iam_user_unused_credentials_check_parameters" { } -variable "instances_in_vpc_parameters" { - description = "Input parameters for the instances-in-vpc rule." +variable "ec2_instances_in_vpc_parameters" { + description = "Input parameters for the ec2-instances-in-vpc rule." type = object({ vpcId = optional(string, null) }) @@ -1069,6 +1177,14 @@ variable "internet_gateway_authorized_vpc_only_parameters" { default = {} } +variable "kinesis_firehose_delivery_stream_encrypted_parameters" { + description = "Input parameters for the kinesis-firehose-delivery-stream-encrypted rule." + type = object({ + kmsKeyArns = optional(string, null) + }) + default = {} +} + variable "kms_cmk_not_scheduled_for_deletion_parameters" { description = "Input parameters for the kms-cmk-not-scheduled-for-deletion rule." type = object({ @@ -1125,8 +1241,8 @@ variable "lambda_vpc_multi_az_check_parameters" { default = {} } -variable "multi_region_cloud_trail_enabled_parameters" { - description = "Input parameters for the multi-region-cloud-trail-enabled rule." +variable "multi_region_cloudtrail_enabled_parameters" { + description = "Input parameters for the multi-region-cloudtrail-enabled rule." type = object({ cloudWatchLogsLogGroupArn = optional(string, null) includeManagementEvents = optional(bool, null) @@ -1137,6 +1253,22 @@ variable "multi_region_cloud_trail_enabled_parameters" { default = {} } +variable "neptune_cluster_backup_retention_check_parameters" { + description = "Input parameters for the neptune-cluster-backup-retention-check rule." + type = object({ + minimumBackupRetentionPeriod = optional(number, null) + }) + default = {} +} + +variable "neptune_cluster_encrypted_parameters" { + description = "Input parameters for the neptune-cluster-encrypted rule." + type = object({ + KmsKeyArns = optional(string, null) + }) + default = {} +} + variable "netfw_logging_enabled_parameters" { description = "Input parameters for the netfw-logging-enabled rule." type = object({ @@ -1256,6 +1388,16 @@ variable "rds_logging_enabled_parameters" { default = {} } +variable "rds_meets_restore_time_target_parameters" { + description = "Input parameters for the rds-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "rds_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the rds-resources-protected-by-backup-plan rule." type = object({ @@ -1370,14 +1512,15 @@ variable "required_tags_parameters" { } -variable "restricted_incoming_traffic_parameters" { - description = "Input parameters for the restricted-incoming-traffic rule." +variable "restricted_common_ports_parameters" { + description = "Input parameters for the restricted-common-ports rule." type = object({ blockedPort1 = optional(number, 20) blockedPort2 = optional(number, 21) blockedPort3 = optional(number, 3389) blockedPort4 = optional(number, 3306) blockedPort5 = optional(number, 4333) + blockedPorts = optional(string, null) }) default = { blockedPort1 = 20 @@ -1389,6 +1532,14 @@ variable "restricted_incoming_traffic_parameters" { } +variable "s3_access_point_public_access_blocks_parameters" { + description = "Input parameters for the s3-access-point-public-access-blocks rule." + type = object({ + excludedAccessPoints = optional(string, null) + }) + default = {} +} + variable "s3_account_level_public_access_blocks_parameters" { description = "Input parameters for the s3-account-level-public-access-blocks rule." type = object({ @@ -1530,6 +1681,16 @@ variable "s3_lifecycle_policy_check_parameters" { default = {} } +variable "s3_meets_restore_time_target_parameters" { + description = "Input parameters for the s3-meets-restore-time-target rule." + type = object({ + maxRestoreTime = optional(number, null) + resourceId = optional(string, null) + resourceTags = optional(string, null) + }) + default = {} +} + variable "s3_resources_protected_by_backup_plan_parameters" { description = "Input parameters for the s3-resources-protected-by-backup-plan rule." type = object({ @@ -1717,6 +1878,17 @@ variable "vpc_sg_open_only_to_authorized_ports_parameters" { default = {} } +variable "vpc_sg_port_restriction_check_parameters" { + description = "Input parameters for the vpc-sg-port-restriction-check rule." + type = object({ + excludeExternalSecurityGroups = optional(bool, null) + ipType = optional(string, null) + protocolType = optional(string, null) + restrictPorts = optional(string, null) + }) + default = {} +} + variable "wafv2_logging_enabled_parameters" { description = "Input parameters for the wafv2-logging-enabled rule." type = object({ diff --git a/scripts/config-rule-updater/.gitignore b/scripts/.gitignore similarity index 100% rename from scripts/config-rule-updater/.gitignore rename to scripts/.gitignore diff --git a/scripts/config-rule-updater/README.md b/scripts/README.md similarity index 89% rename from scripts/config-rule-updater/README.md rename to scripts/README.md index 4ea9011..36bf2f0 100644 --- a/scripts/config-rule-updater/README.md +++ b/scripts/README.md @@ -92,4 +92,11 @@ locals { } ``` -If a rule has no parameters then a `{rule_name}_parameters` variable is not generated and the `input_parameters` attribute is omitted in the `locals` block. \ No newline at end of file +If a rule has no parameters then a `{rule_name}_parameters` variable is not generated and the `input_parameters` attribute is omitted in the `locals` block. + +# Rule Pack Info Generator + +This script parses the Conformance Packs maintained in the [awslabs/aws-config-rules](https://github.com/awslabs/aws-config-rules) repository to generate two files: + + - A YAML file containing all of the Config Rules associated with each pack + - A text file containing only a newline separated list of all the packs \ No newline at end of file diff --git a/scripts/config-rule-updater/index.py b/scripts/config-rule-updater/index.py deleted file mode 100644 index 1d77e31..0000000 --- a/scripts/config-rule-updater/index.py +++ /dev/null @@ -1,54 +0,0 @@ -from pathlib import Path -from typing import List - -from lib.aws_config_rule import AwsConfigRule -from lib.aws_docs_reader import generate_config_rule_data -from lib.hcl_generator import generate_variables, generate_locals, load_source_file -from lib.hcl_reader import read_hcl_file - -ROOT_PAGE = 'https://docs.aws.amazon.com/config/latest/developerguide/' -AWS_MANAGED_RULES_PAGE = ROOT_PAGE + 'managed-rules-by-aws-config.html' -SOURCE_FILE_NAME = Path('config_rule_data.json') -LOCALS_FILE_PATH = Path('..', '..', 'managed_rules_locals.tf') -VARIABLES_FILE_PATH = Path('..', '..', 'managed_rules_variables.tf') - -if __name__ == '__main__': - # Scrape AWS documentation for the latest Config Rules. - generate_config_rule_data( - root_url=ROOT_PAGE, - managed_rules_page=AWS_MANAGED_RULES_PAGE) - - # Load the list of managed rules from the existing locals block. - data = read_hcl_file(LOCALS_FILE_PATH) - existing_rules_data = None - for _, local in enumerate(data['locals']): - existing_rules_data = local['managed_rules'] - - # Load source file with the latest Config Rule definitions. - latest_config_rules_data = load_source_file(SOURCE_FILE_NAME) - - # Update the severity levels of the latest rules from the existing rules. - rules: List[AwsConfigRule] = [] - existing_rules = existing_rules_data.keys() - for rule_data in latest_config_rules_data: - rule = AwsConfigRule(data=rule_data) - if rule.name not in existing_rules: - rules.append(rule) - continue - for existing_rule_name, existing_rule_data in existing_rules_data.items(): - if rule.name == existing_rule_name: - print(f"Updating rule {rule.name} severity to {existing_rule_data['severity']}") - rule.set_severity_level(existing_rule_data['severity']) - rules.append(rule) - break - - # Update the managed rules in the locals block with the latest changes. - generate_locals( - rules=rules, - output_file=LOCALS_FILE_PATH) - - # Update the Config Rules parameters variables. We only want to create - # variables for rules that have parameters. - generate_variables( - rules=[x for x in rules if x.parameters_data], - output_file=VARIABLES_FILE_PATH) diff --git a/scripts/discover-new-rules.rb b/scripts/discover-new-rules.rb deleted file mode 100755 index b76a5cc..0000000 --- a/scripts/discover-new-rules.rb +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env ruby - -require 'json' -require 'yaml' -require 'nokogiri' -require 'open-uri' - -# Rules that we have, but are named differently than AWS (we use the identifier) -renamed_rules = [ - "cloudtrail-enabled", - "ec2-instance-managed-by-systems-manager", - "ec2-instances-in-vpc", - "multi-region-cloudtrail-enabled", - "restricted-common-ports", - "restricted-ssh", -] - -url = 'https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html' -html = URI.open(url) -doc = Nokogiri::HTML(html) -aws_rules = [] - -doc.css("li").each do |item| - aws_rules << item.text -end - -init = `terraform init` -keys = `echo "keys((local.managed_rules))" | terraform console` -our_rules = JSON.parse("#{keys[0..-5]}]") - -our_rules.concat(renamed_rules) - -aws_rules.each do |aws_rule| - if !our_rules.include?(aws_rule) - puts aws_rule - end -end \ No newline at end of file diff --git a/scripts/generate-rule-pack-info.rb b/scripts/generate-rule-pack-info.rb deleted file mode 100755 index c1ec026..0000000 --- a/scripts/generate-rule-pack-info.rb +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env ruby - -# -# Basic script to download the conformance packs, parse them, and produce: -# -# - A YAML file containing all of the Config Rules associated with each pack -# - A text file containing only a newline separated list of all the packs -# -# This script is run ad-hoc by the module maintainers and the files are -# committed to this repo, so this is not being run as part of normal Terraform -# operations -# - - -require 'fileutils' -require 'time' -require 'yaml' - -rule_packs = Array.new -pack_rules_yaml = 'files/pack-rules.yaml' -pack_rules_list = 'files/pack-rules-list.txt' -rules_dir = 'aws-config-rules' -git_clone = `git clone https://github.com/awslabs/#{rules_dir}.git` -yaml_files = Dir["#{rules_dir}/aws-config-conformance-packs/*.yaml"] - -packs = { - "generated_on" => Time.now.utc.iso8601, - "packs" => Hash.new, -} - -puts "" - -yaml_files.sort.each do |file| - pack = File.basename(file, '.yaml') - - next if pack == 'custom-conformance-pack' - - content = File.read(file) - parsed = YAML.safe_load(content) - rules = Array.new - - parsed["Resources"].each do |rule, attr| - if attr["Properties"]["Source"] != nil - ident = attr["Properties"]["Source"]["SourceIdentifier"] - rules << ident.downcase.gsub("_", "-") - end - end - - packs["packs"][pack] = rules.uniq.sort - rule_packs << pack - puts "Processed rule pack #{pack}" -end - -outfile = File.open(pack_rules_yaml, 'w') -outfile.puts packs.to_yaml -outfile.close -puts "\nWrote all YAML pack rules/associations to: #{pack_rules_yaml}" - -outfile = File.open(pack_rules_list, 'w') -outfile.puts rule_packs -outfile.close -puts "Wrote list of pack rules to: #{pack_rules_list}" - -FileUtils.rm_rf(rules_dir) - -puts "\nComplete!\n" \ No newline at end of file diff --git a/scripts/index.py b/scripts/index.py new file mode 100644 index 0000000..3b53a1a --- /dev/null +++ b/scripts/index.py @@ -0,0 +1,155 @@ +import logging +import os +import shutil +import subprocess +import sys + +from datetime import datetime, timezone +from pathlib import Path +from typing import List + +import yaml + +from lib.aws_config_rule import AwsConfigRule, SeverityOverride +from lib.aws_docs_reader import generate_config_rule_data, generate_security_hub_controls_data +from lib.hcl_generator import generate_variables, generate_locals, load_source_file +from lib.rule_pack_info_generator import process_conformance_pack, InvalidConformancePackException + +# Common constants. +CURRENT_DIR = Path(__file__).resolve().parent + +# Managed rules constants. +ROOT_PAGE = 'https://docs.aws.amazon.com/config/latest/developerguide/' +AWS_MANAGED_RULES_PAGE = ROOT_PAGE + 'managed-rules-by-aws-config.html' +SECURITY_HUB_ROOT_PAGE = "https://docs.aws.amazon.com/securityhub/latest/userguide" +SECURITY_HUB_CONTROLS_REF_PAGE = "securityhub-controls-reference.html" +SOURCE_FILE_NAME = Path(CURRENT_DIR, 'config_rule_data.json') +SEVERITY_OVERRIDES_FILE_PATH = Path(CURRENT_DIR, '..', 'etc', 'severity_overrides.yaml').resolve() +SECURITY_HUB_CONTROLS_FILE_PATH = Path(CURRENT_DIR, 'security_hub_controls.json') +LOCALS_FILE_PATH = Path(CURRENT_DIR, '..', 'managed_rules_locals.tf').resolve() +VARIABLES_FILE_PATH = Path(CURRENT_DIR, '..', 'managed_rules_variables.tf').resolve() + +# Rule packs generator constants. +RULES_DIR = 'aws-config-rules' +AWS_CONFIG_RULES_REPO = f'https://github.com/awslabs/{RULES_DIR}.git' +EXCLUDED_CONFORMANCE_PACKS = ('custom-conformance-pack',) +PACK_RULES_FILE = Path(CURRENT_DIR, '..', 'files', 'pack-rules.yaml') +PACKS_LIST_FILE = Path(CURRENT_DIR, '..', 'files', 'pack-rules-list.txt') + +logging.basicConfig( + level=logging.INFO, + force=True, + format='%(asctime)s [%(levelname)s] - %(message)s', + datefmt="%y-%m-%d %H:%M:%S") + +def usage(): + print("\nUsage: python index.py ") + +def update_config_rules(): + # Scrape AWS documentation for the latest Config Rules. + generate_config_rule_data( + root_url=ROOT_PAGE, + managed_rules_page=AWS_MANAGED_RULES_PAGE, + output_file=SOURCE_FILE_NAME) + # Scrape AWS documentation for the latest Security Hub controls. + generate_security_hub_controls_data( + root_url=SECURITY_HUB_ROOT_PAGE, + controls_ref_page=SECURITY_HUB_CONTROLS_REF_PAGE, + output_file=SECURITY_HUB_CONTROLS_FILE_PATH) + + # Load the manual severity overrides. + severity_overrides_data = load_source_file(SEVERITY_OVERRIDES_FILE_PATH) + severity_overrides = [SeverityOverride(rule_name=k, data=v) for k, v in severity_overrides_data['overrides'].items()] + + # Load source file with the latest Config Rule definitions. + latest_config_rules_data = load_source_file(SOURCE_FILE_NAME) + + # Update the list of managed rules with the corresponding severity levels + # set by Security Hub controls. + controls = load_source_file(SECURITY_HUB_CONTROLS_FILE_PATH) + rules: List[AwsConfigRule] = [] + for rule_data in latest_config_rules_data: + rule = AwsConfigRule(data=rule_data) + for override in severity_overrides: + if override.rule_name == rule.tf_rule_name: + logging.info(f"Updating {rule.tf_rule_name} severity with override -> {override.severity}") + rule.set_severity_level(override.severity) + break + for control in controls: + if rule.tf_rule_name == control['rule']: + logging.info(f"Updating {rule.tf_rule_name} severity -> {control['severity']}") + rule.set_severity_level(control['severity']) + break + rules.append(rule) + + # Update the managed rules in the locals block with the latest changes. + generate_locals( + rules=rules, + output_file=LOCALS_FILE_PATH) + + # Update the Config Rules parameters variables. We only want to create + # variables for rules that have parameters. + generate_variables( + rules=[x for x in rules if x.parameters_data], + output_file=VARIABLES_FILE_PATH) + +def update_rule_packs(): + '''Unless $DOWNLOAD_CONFORMANCE_PACKS is explicitly set to something other than + 'yes', clone the git repository with the conformance packs.''' + if os.environ.get('DOWNLOAD_CONFORMANCE_PACKS', 'yes') == 'yes': + logging.info("Downloading conformance packs") + if Path(RULES_DIR).exists(): + shutil.rmtree(RULES_DIR, ignore_errors=True) + subprocess.run(['git', 'clone', AWS_CONFIG_RULES_REPO]) + + yaml_files = sorted(list(Path.glob(Path(RULES_DIR, 'aws-config-conformance-packs'), '*.yaml'))) + rule_packs = [] + result = { + 'generated_on': datetime.now(timezone.utc).isoformat(timespec="seconds").replace("+00:00", "Z"), + 'packs': {} + } + + # Load source file with the latest Config Rule definitions. + latest_config_rules_data = load_source_file(SOURCE_FILE_NAME) + config_rules: List[AwsConfigRule] = [AwsConfigRule(data=rule) for rule in latest_config_rules_data] + + for pack_file in yaml_files: + try: + pack, rules = process_conformance_pack( + file_name=pack_file, + excluded_packs=EXCLUDED_CONFORMANCE_PACKS, + config_rules=config_rules) + except InvalidConformancePackException: + logging.warning(f"Skipping invalid conformance pack {pack_file}") + continue + result['packs'][pack] = rules + rule_packs.append(pack) + logging.info(f"Processed rule pack {pack}") + + logging.info(f"Writing rule packs to {PACK_RULES_FILE}") + with PACK_RULES_FILE.open('w') as f: + yaml.dump(result, f) + + logging.info(f"Writing rule packs list to {PACKS_LIST_FILE}") + with PACKS_LIST_FILE.open('w') as f: + f.write('\n'.join(rule_packs)) + +if __name__ == '__main__': + valid_commands = ('update-config-rules', 'update-rule-packs',) + try: + cmd = sys.argv[1] + except IndexError: + logging.error("No command provided") + logging.error(f"Valid commands: {', '.join(valid_commands)}") + usage() + exit(1) + + if cmd == 'update-config-rules': + update_config_rules() + elif cmd == 'update-rule-packs': + update_rule_packs() + else: + logging.error(f"Invalid command: {cmd}") + logging.error(f"Valid commands: {', '.join(valid_commands)}") + usage() + exit(1) \ No newline at end of file diff --git a/scripts/config-rule-updater/lib/__init__.py b/scripts/lib/__init__.py similarity index 100% rename from scripts/config-rule-updater/lib/__init__.py rename to scripts/lib/__init__.py diff --git a/scripts/config-rule-updater/lib/aws_config_rule.py b/scripts/lib/aws_config_rule.py similarity index 90% rename from scripts/config-rule-updater/lib/aws_config_rule.py rename to scripts/lib/aws_config_rule.py index f514538..703be30 100644 --- a/scripts/config-rule-updater/lib/aws_config_rule.py +++ b/scripts/lib/aws_config_rule.py @@ -2,7 +2,7 @@ import re import yaml -from typing import Union, List +from typing import List, Optional, Union class AwsConfigRuleLocal: @@ -13,28 +13,35 @@ def __init__(self, name: str, data: dict) -> None: class AwsConfigRule: def __init__(self, data: dict) -> None: - self.tf_variable_name: str = data['variable_name'] - """The name of the Terraform variable for the rule's parameters.""" self.tf_variable_description: str = data['description'] """The Terraform parameters variable description.""" self.parameters_data: List[str] = data['parameters'] """A list of the rule's parameters.""" self.resource_types: List[str] = data.get('resource_types', []) """A list of resource types checked by the rule.""" - self._rule_identifier: str = data['identifier'] + self.rule_name: str = data['name'] + """The name of the rule as it appears in the AWS documentation.""" + self.rule_identifier: str = data['identifier'] """The rule identifier in AWS.""" + self.tf_rule_name: str = self._get_tf_rule_name() self._rule_severity: str = data.get('severity', 'Medium') """The level of severity of noncompliant resources.""" - + @property - def name(self) -> str: - """The name of the rule.""" - return self._rule_identifier.lower().replace('_', '-') + def tf_variable_name(self) -> str: + """The name of the Terraform variable for the rule's parameters.""" + return self.tf_rule_name.replace('-', '_') + "_parameters" @property def rule_severity(self) -> str: """The level of severity of noncompliant resources.""" return self._rule_severity + + def _get_tf_rule_name(self) -> str: + normalized_identifier = self.rule_identifier.lower().replace('_', '-') + if self.rule_name != normalized_identifier: + return self.rule_name + return normalized_identifier def _format_parameter_name(self, param_name: str) -> str: """Return the parameter name with the first letter lowercased.""" @@ -200,4 +207,10 @@ def tf_variable_default_value(self) -> str: raw_string = yaml.dump(result, default_flow_style=False, default_style='') fixed = self.replace_colons_with_equals(raw_string) return f"{{\n{fixed}}}" - return None \ No newline at end of file + return None + + +class SeverityOverride: + def __init__(self, rule_name: str, data: dict) -> None: + self.rule_name: str = rule_name + self.severity: Optional[str] = data.get('severity') \ No newline at end of file diff --git a/scripts/config-rule-updater/lib/aws_docs_reader.py b/scripts/lib/aws_docs_reader.py similarity index 54% rename from scripts/config-rule-updater/lib/aws_docs_reader.py rename to scripts/lib/aws_docs_reader.py index 639cea5..54c7800 100644 --- a/scripts/config-rule-updater/lib/aws_docs_reader.py +++ b/scripts/lib/aws_docs_reader.py @@ -1,11 +1,13 @@ import json +import logging +import re from pathlib import Path -from typing import List +from typing import List, Optional, Union import requests -from bs4 import BeautifulSoup, PageElement +from bs4 import BeautifulSoup, PageElement, ResultSet class AwsDocsReader: """Parses AWS documentation for a complete list of AWS Config Rules. @@ -47,13 +49,16 @@ def get_main_column_content(self, soup: BeautifulSoup) -> BeautifulSoup: """Return the main column element with all of the rule descriptions.""" return soup.find('div', id='main-col-body') - def format_variable_name(self, name: str) -> str: - """Format the rule name as the name of the parameters variable in Terraform.""" - return name.lower().replace('-', '_') + '_parameters' - def get_rule_description(self, soup: BeautifulSoup) -> str: """Parse the content column and return the rule's description.""" - description_tag = soup.find_next('p') + + '''Some of the rules have warnings or notes about the rule name not + matching its identifier. We need to skip over these elements and find + the first

tag with the rule description.''' + for child in soup.contents: + if child.name == 'p': + description_tag = child + break rule_description = description_tag.string if rule_description is None: return self.clean_string_with_tags( @@ -83,8 +88,11 @@ def parse_parameter_description(self, page_element: PageElement) -> str: def get_rule_identifier(self, soup: BeautifulSoup) -> List[str]: """Return the AWS rule identifier.""" - resources_element = soup.find('b', string='Identifier:') - return resources_element.next_sibling.strip() + '''Some of the rules have identifiers that don't match their rule name. + We need to use the rule name, not the actual identifier, for this + automation. Warn the user that the two don't match before returning.''' + identifier_element = soup.find('b', string='Identifier:').next_sibling.strip() + return identifier_element def get_rule_parameters(self, soup: BeautifulSoup) -> List[dict]: """Parse the rule's parameter list. Returns an empty list if there are no parameters.""" @@ -120,7 +128,7 @@ def get_rule_parameters(self, soup: BeautifulSoup) -> List[dict]: current_parameter['optional'] = False continue # Set the parameter's description. If we've made it this far in the - # list then the next element is either the start ofanother parameter + # list then the next element is either the start of another parameter # or it's the last parameter in the list, so we reset the # current_parameter value. elif child.name == 'dd': @@ -151,31 +159,164 @@ def parse_docs(self) -> list: result = [] try: for rule_name in aws_managed_rules: - print(f"Parsing {rule_name}") + logging.info(f"Parsing {rule_name}") rule_soup = self.get_page_soup( content=self.get_page_content(url=self._root_url + rule_name)) main_column = self.get_main_column_content(soup=rule_soup) rule = {'name': rule_name} rule['identifier'] = self.get_rule_identifier(soup=main_column) - rule['variable_name'] = self.format_variable_name(name=rule['identifier']) rule['description'] = self.get_rule_description(soup=main_column) rule['parameters'] = self.get_rule_parameters(soup=main_column) rule['resource_types'] = self.get_resource_types(soup=main_column) - result.append(rule) except Exception as e: - print(e) + logging.error(e) finally: return result -def generate_config_rule_data(root_url: str, managed_rules_page: str) -> None: - print("Scraping AWS documentation for AWS-managed Config Rules.") - output_file = 'config_rule_data.json' + +class SecurityHubControl: + def __init__(self, soup: ResultSet) -> None: + self.soup: ResultSet = soup + self.name: str = soup.string + self.severity: Optional[str] = None + self.rule: Optional[str] = None + '''The page element with the control's corresponding AWS Config Rule has + inconsistent formatting so we need to handle several cases such as: + + - "AWS Config Rule: " + - "AWS Config rule:" + - "AWS configrule" + + We're running `re.compile` here for efficiency. + ''' + self.aws_config_rule_pattern: re.Pattern = re.compile(r'[Aa][Ww][Ss]\s?[Cc]onfig\s?[Rr]ule') + self._no_rule_configured: str = 'NO_CONFIG_RULE_CONFIGURED' + + self.parse(soup=self.soup) + + @property + def no_rule_configured(self) -> bool: + return self.rule == self._no_rule_configured + + def parse(self, soup: ResultSet) -> None: + for sibling in soup.next_siblings: + if self.severity and self.rule: + return + self.parse_sibling(sibling=sibling) + + def parse_sibling(self, sibling): + if not sibling.name == 'p': + return + + for child in sibling.children: + # Check for severity. + severity = self.find_severity(tag=child) + if severity is not None and self.severity is None: + self.severity = severity + continue + # Check for rule. + rule = self.find_rule(child, pattern=self.aws_config_rule_pattern) + if rule is not None and self.rule is None: + self.rule = rule + continue + + def find_severity(self, tag) -> Optional[str]: + if tag.name == 'b' and "Severity" in tag.string: + return tag.next_sibling.strip() + return None + + def find_rule(self, tag, pattern) -> Optional[str]: + if tag.name == 'b' and re.match(pattern, tag.string): + for child in tag.next_siblings: + if child.name == 'a' and child.string is not None: + return child.string + if child.name == 'code' and child.string is not None: + return child.string + if tag.string is not None: + if tag.string.strip().startswith('None'): + return self._no_rule_configured + if re.match(pattern, tag.string): + for child in tag.next_siblings: + if child.name == 'a': + return child.string + if child.name == 'code': + return child.string + return None + + def get_aws_config_rule_name(self, tag) -> str: + if tag.name == 'a': + return tag.string + if tag.name == 'code': + return tag.string + raise ValueError(f"Could not find AWS Config Rule name in {tag}") + + def to_dict(self) -> dict: + return { + 'severity': self.severity, + 'rule': self.rule, + 'control': self.name} + + +def generate_config_rule_data(root_url: str, managed_rules_page: str, output_file: Union[Path, str]) -> None: + logging.info("Scraping AWS documentation for AWS-managed Config Rules.") reader = AwsDocsReader( root_url=root_url, managed_rules_page=managed_rules_page) result = reader.parse_docs() - print(f"Writing result to {output_file}.") + logging.info(f"Writing result to {output_file}.") with Path(output_file).open('w') as f: f.write(json.dumps(result, indent=2)) + +def generate_security_hub_controls_data( + root_url: str, + controls_ref_page: str, + output_file: Union[Path, str]) -> None: + controls = parse_security_hub_docs( + controls_userguide_root=root_url, controls_ref_page=controls_ref_page) + with Path(output_file).open('w') as f: + f.write(json.dumps(controls, indent=2)) + +def parse_security_hub_docs(controls_userguide_root: str, controls_ref_page: str): + control_references_url = f"{controls_userguide_root}/{controls_ref_page}" + soup = get_page_soup(get_page_content(url=control_references_url)) + all_controls = get_security_hub_controls(soup=soup) + result = [] + + for pages in all_controls: + page = pages[1].strip('.') + page_soup = get_page_soup( + content=get_page_content(url=f"{controls_userguide_root}{page}")) + page_controls_soup = page_soup.find_all('h2') + logging.info(f"Working on controls: {page}") + counter = 1 + controls_length = len(page_controls_soup) + for control in page_controls_soup: + logging.info(f"Parsing ({counter}/{controls_length})") + security_hub_control = SecurityHubControl(soup=control) + if security_hub_control.no_rule_configured: + logging.warning(f"Control {control.string} has no AWS Config Rule configured. Skipping") + counter += 1 + continue + if not security_hub_control.severity or not security_hub_control.rule: + logging.error(f"Failed to parse control {control.string}") + counter += 1 + continue + result.append(security_hub_control.to_dict()) + counter += 1 + return result + +def get_page_soup(content: str) -> BeautifulSoup: + """Parse the content of an HTML page and return beautiful soup.""" + return BeautifulSoup(content, 'html.parser') + +def get_page_content(url: str) -> str: + """Return the content of an HTML page.""" + return requests.get(url=url).content + +def get_security_hub_controls(soup: BeautifulSoup) -> List[str]: + """Return a list of all AWS Security Hub controls.""" + topics_header = soup.find('h6', string='Topics').next_sibling + topics = topics_header.find_all_next('li') + return [(x.string, x.find_next('a').attrs['href']) for x in topics] diff --git a/scripts/config-rule-updater/lib/hcl_generator.py b/scripts/lib/hcl_generator.py similarity index 65% rename from scripts/config-rule-updater/lib/hcl_generator.py rename to scripts/lib/hcl_generator.py index ff107d6..fa218c5 100644 --- a/scripts/config-rule-updater/lib/hcl_generator.py +++ b/scripts/lib/hcl_generator.py @@ -1,17 +1,20 @@ import json +import logging from pathlib import Path -from typing import List +from typing import List, Union from lib.aws_config_rule import AwsConfigRule +import yaml + from jinja2 import Environment, PackageLoader, select_autoescape from python_terraform import Terraform def generate_variables(rules: List[AwsConfigRule], output_file: Path) -> None: """Takes an input file with a list of AWS-managed Config Rules and generates HCL code from the list.""" - print("Creating Terraform variables for AWS-managed Config Rules.") + logging.info("Creating Terraform variables for AWS-managed Config Rules.") env = Environment( loader=PackageLoader("index"), autoescape=select_autoescape()) @@ -28,7 +31,7 @@ def generate_variables(rules: List[AwsConfigRule], output_file: Path) -> None: def generate_locals(rules: List[AwsConfigRule], output_file: Path) -> None: """Create the managed_rules_locals `locals` block and write it to disk.""" - print("Creating Terraform locals block for AWS-managed Config Rules.") + logging.info("Creating Terraform locals block for AWS-managed Config Rules.") env = Environment( loader=PackageLoader("index"), autoescape=select_autoescape()) @@ -41,13 +44,19 @@ def generate_locals(rules: List[AwsConfigRule], output_file: Path) -> None: format_hcl() -def load_source_file(file_name: str) -> dict: +def load_source_file(file_name: Union[Path, str]) -> dict: """Return a map of rule definitions.""" + # Load using JSON or YAML based on the file extension. with Path(file_name).open() as f: - data = json.loads(f.read()) + if file_name.suffix in ('.yml', '.yaml',): + data = yaml.safe_load(f) + elif file_name.suffix == '.json': + data = json.loads(f.read()) + else: + raise ValueError(f"Unsupported file extension: {file_name.suffix}") return data -def format_hcl() -> None: +def format_hcl(path: Union[Path, str]='.') -> None: """Format Terraform files with `terraform fmt`.""" t = Terraform() - return_code, stdout, stderr = t.cmd('fmt', '../../.') + return_code, stdout, stderr = t.cmd('fmt', f"{Path(path)}") diff --git a/scripts/config-rule-updater/lib/hcl_reader.py b/scripts/lib/hcl_reader.py similarity index 100% rename from scripts/config-rule-updater/lib/hcl_reader.py rename to scripts/lib/hcl_reader.py diff --git a/scripts/lib/rule_pack_info_generator.py b/scripts/lib/rule_pack_info_generator.py new file mode 100755 index 0000000..eb03d8b --- /dev/null +++ b/scripts/lib/rule_pack_info_generator.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +'''Download conformance packs, parse them and produce two files: + - A YAML file containing all of the Config Rules associated with each pack + - A text file containing only a newline separated list of all the packs''' + +import logging + +from pathlib import Path +from typing import List, Tuple, Union + +import yaml + +from lib.aws_config_rule import AwsConfigRule + +class NoSourcePropertyException(Exception): + """The 'Source' property of a Rule is missing.""" + pass + + +class InvalidConformancePackException(Exception): + """The conformance pack should be excluded from the list.""" + pass + + +def get_resource_source_identifier(resource: dict) -> str: + """Get a rule's SourceIdentifier property. + + Expects a dict with the following structure: + { + 'EXAMPLE_RULE': { + 'Properties': { + 'Source': { + 'Owner': 'AWS', + 'SourceIdentifier': 'EXAMPLE_IDENTIFIER' + } + } + } + } + + Args: + resource (dict): A CloudFormation Resource definition. + + Returns: + A rule's SourceIdentifier property. + + Exception: + NoSourcePropertyException: Raised when a rule is missing a 'Source' + property.""" + if resource['Properties'].get('Source', None) is None: + raise NoSourcePropertyException + return resource['Properties']['Source']['SourceIdentifier'] + +def load_conformance_pack_yaml(path: Union[Path, str]) -> dict: + with Path(path).open() as f: + return yaml.safe_load(f.read()) + +def format_identifier(identifier: str) -> str: + return identifier.lower().replace('_', '-') + +def process_conformance_pack( + file_name: str, + excluded_packs: List[str], + config_rules: List[AwsConfigRule]) -> Tuple[str, List[str]]: + yaml_file = Path(file_name) + pack = yaml_file.stem + + if pack in excluded_packs: + raise InvalidConformancePackException + + content = load_conformance_pack_yaml(yaml_file) + rules = [] + for rule, attr in content['Resources'].items(): + try: + identifier = get_resource_source_identifier(attr) + for config_rule in config_rules: + if config_rule.rule_identifier == identifier: + new_identifier = config_rule.tf_rule_name + break + if new_identifier not in rules: + rules.append(new_identifier) + except NoSourcePropertyException: + logging.warning(f"Rule '{rule}' in pack {pack} has no 'Source' property. Skipping") + continue + + return pack, sorted(rules) diff --git a/scripts/config-rule-updater/requirements.txt b/scripts/requirements.txt similarity index 80% rename from scripts/config-rule-updater/requirements.txt rename to scripts/requirements.txt index e8c5bb6..79ed02a 100644 --- a/scripts/config-rule-updater/requirements.txt +++ b/scripts/requirements.txt @@ -1,14 +1,14 @@ beautifulsoup4==4.12.2 certifi==2023.7.22 charset-normalizer==3.1.0 -coverage==7.4.4 +coverage==7.2.7 idna==3.7 -Jinja2==3.1.3 +Jinja2==3.1.4 lark==1.1.5 MarkupSafe==2.1.2 python-hcl2==4.3.1 python-terraform==0.10.1 PyYAML==6.0 -requests==2.31.0 +requests==2.32.0 soupsieve==2.4.1 urllib3==2.0.7 diff --git a/scripts/config-rule-updater/templates/locals_block.jinja b/scripts/templates/locals_block.jinja similarity index 92% rename from scripts/config-rule-updater/templates/locals_block.jinja rename to scripts/templates/locals_block.jinja index 23651a6..ed287ff 100644 --- a/scripts/config-rule-updater/templates/locals_block.jinja +++ b/scripts/templates/locals_block.jinja @@ -1,7 +1,7 @@ locals { managed_rules = { {%- for rule in rules %} - {{ rule.name }} = { + {{ rule.tf_rule_name }} = { description = "{{ rule.locals_description() }}" {%- if rule.parameters_data %} input_parameters = var.{{ rule.tf_variable_name }} diff --git a/scripts/config-rule-updater/templates/variable.jinja b/scripts/templates/variable.jinja similarity index 79% rename from scripts/config-rule-updater/templates/variable.jinja rename to scripts/templates/variable.jinja index f861f87..97bf27e 100644 --- a/scripts/config-rule-updater/templates/variable.jinja +++ b/scripts/templates/variable.jinja @@ -1,5 +1,5 @@ variable "{{ config.tf_variable_name }}" { - description = "Input parameters for the {{ config.name }} rule." + description = "Input parameters for the {{ config.tf_rule_name }} rule." type = {{ config.tf_variable_type().replace(':', ' = ') }} {%- if config.tf_variable_default_value() %} default = {{ config.tf_variable_default_value().replace("'", '') }} diff --git a/scripts/config-rule-updater/tests/__init__.py b/scripts/tests/__init__.py similarity index 100% rename from scripts/config-rule-updater/tests/__init__.py rename to scripts/tests/__init__.py diff --git a/scripts/config-rule-updater/tests/test_aws_config_rule.py b/scripts/tests/test_aws_config_rule.py similarity index 100% rename from scripts/config-rule-updater/tests/test_aws_config_rule.py rename to scripts/tests/test_aws_config_rule.py