+ 
powered by GitHub Actions
- Quotas limit increased to
200(minimum) for CloudWatch Event Rules, in each region:aws service-quotas request-service-quota-increase \ --service-code events \ --quota-code L-244521F2 \ --desired-value 200
- Alerts policies filenames should start with
a- - Remediation policies filenames should start with
r-
- Ensure
Account {account_id} -is present in thedescriptionto identify multiple accounts independently. - Ensure
nameis short and sweet. If thenameis too long, validation check will fail. - Ensure role name is not changed as it deployed via terraform in prerequisites.
Ensure validation.yml is being used for sanity
To use the policies with an AWS account, we have to refer the sample workflow file.
The below sample workflow is for cloudtrail based policies. Similarly, the workflows can be created for hourly/daily frequencies.
name: sample-workflow
on:
push:
branches:
- main
paths:
- policies/cloudtrail/**
defaults:
run:
shell: bash
working-directory: policies/cloudtrail/
env:
AWS_ACCOUNT_ID: "123456789012"
REGION_LIST: |
(
"us-east-1"
"ap-southeast-1"
)
ROLE_NAME: custodian-sample-role
jobs:
CustodianDeployer:
name: Deploy Lambda for CloudTrail Events
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install python3.8
uses: actions/setup-python@v2
with:
python-version: '3.8'
- name: Install Custodian
run: |
pip install c7n
- name: Configure AWS credentials from ${{env.AWS_ACCOUNT_ID}} account
run: |
CREDS=( $(aws sts assume-role --role-arn "arn:aws:iam::${{env.AWS_ACCOUNT_ID}}:role/${{env.ROLE_NAME}}" --role-session-name "${{env.ROLE_NAME}}" --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --duration-seconds 5400 --output text) )
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=${CREDS[0]}
echo "::add-mask::$AWS_ACCESS_KEY_ID"
echo AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID >> $GITHUB_ENV
AWS_SECRET_ACCESS_KEY=${CREDS[1]}
echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY >> $GITHUB_ENV
AWS_SESSION_TOKEN=${CREDS[2]}
echo "::add-mask::$AWS_SESSION_TOKEN"
echo AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN >> $GITHUB_ENV
- name: Check Access
run: |
aws sts get-caller-identity
- name: Deploy regional policies
run: |
find . \( -iname "*.yml" -o -iname "*.yaml" \) | { grep -v "route53\|cloudfront\|iam\|s3" || true; } | while read POLICY; do
sed -i 's,REPLACE_WEBHOOK_HERE,${{ secrets.CUSTODIAN_SLACK_WEBHOOK }},g' "$POLICY"
array=${{ env.REGION_LIST }}
for REGION in ${array[*]}; do
custodian run -s /tmp/ -v --cache-period 0 -c "$POLICY" --region "$REGION"
done
done
- name: Deploy global policies
run: |
find . \( -iname "*.yml" -o -iname "*.yaml" \) | { grep "route53\|cloudfront\|iam\|s3" || true; } | while read POLICY; do
sed -i 's,REPLACE_WEBHOOK_HERE,${{ secrets.CUSTODIAN_SLACK_WEBHOOK }},g' "$POLICY"
custodian run -s /tmp/ -v --cache-period 0 -c "$POLICY" --region us-east-1
done- Ensure to change
REGION_LISTinside the workflow file. - Individual workflow files for each frequency.
- Slack Webhook. This repo will use
CUSTODIAN_SLACK_WEBHOOKGitHub Secret to replace webhook while deployment.
| Policy Name | Description | Resource Name |
|---|---|---|
| r-security-group-ingress-mysql-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress mysql access from 0.0.0.0/0 replace with VPN IP | security-group |
| route53-domain-has-autorenew-enabled | Account 123456789012 - Ensure AWS Route 53 domains have AutoRenew enabled | r53domain |
| r-security-group-ingress-rdp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress rdp access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-ftp20-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress ftp20 access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-ftp20-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress ftp20 access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-ssh-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress SSH access from 0.0.0.0/0 replace with VPN IP | security-group |
| a-vpn-tunnels-status-verify | Account 123456789012 Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status | aws.vpn-connection |
| r-security-group-ingress-ahsp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress ahsp access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-all-tcp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress TCP access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-all-udp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress UDP access from 0.0.0.0/0 replace with VPN IP | security-group |
| route53-reg-domain-has-transfer-lock | Account 123456789012 - Ensure AWS Route 53 Registered domain has Transfer lock enabled | r53domain |
| iam-access-key1-rotated-90-days-or-less | Account 123456789012 - Ensure access key1 is rotated every 90 days or less | iam-user |
| no-cmk-is-marked-for-deletion | Account 123456789012 - Ensure CMK KMS is not marked for deletion | kms-key |
| root-account-mfa-enabled-check | Account 123456789012 - Ensure MFA is enabled for the root account | account |
| cmk-use-external-key-material | Account 123456789012 - Ensure CMK KMS uses external key material | kms-key |
| aws-kms-key-rotation-is-enabled | Account 123456789012 - Ensure rotation for customer created CMKs is enabled | aws.kms-key |
| unencrypted-unattached-ebs-are-deleted | Account 123456789012 - Ensure unattached EBS volumes are encrypted | ebs |
| aws-lambda-version-latest-not-custom | Account 123456789012 - Ensure AWS Lambda version is $LATEST and not custom version | aws.lambda |
| a-sagemaker-direct-internet-access | Account 123456789012 - Amazon SageMaker Notebook Instances Should Not Have Direct Internet Access | aws.sagemaker-notebook |
| iam-45-days-unused-keys | Account 123456789012 - Ensure access keys are unused for 45 days are disabled/deleted | iam-user |
| a-secret-manager-no-aws-default-kmsKey-used-check | Account 123456789012 - Ensure no AWS default KMS Key is used to protect Secrets | aws.secrets-manager |
| cloudfront-distributions-aws-waf-enabled | Account 123456789012 - CloudFront Distributions Should Have AWS WAF Enabled | aws.distribution |
| rds-instance-public-accessibility-enable | Account 123456789012 - Ensure that Public Accessibility is set to No for Database Instances | rds |
| elasticache-clusters-data-at-rest-encrypted | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted | elasticache-group |
| cloudtrail-log-file-validation-is-enabled | Account 123456789012 - Ensure CloudTrail log file validation is enabled | aws.cloudtrail |
| a-vpc-network-acl-unused | Account 123456789012 Unused network access control lists should be removed | network-acl |
| r-sns-encrypted-at-rest | Account 123456789012 - Set Encryption On SNS topics | aws.sns |
| list-vpc-in-lambda | Account 123456789012 - list vpc in lambda | lambda |
| check-default-vpc-in-lambda | Account 123456789012 - check default vpc in lambda | vpc |
| throttle-lambdas-in-default-vpc | Account 123456789012 - throttle Lambdas in default VPC | lambda |
| unrestricted-ssh | Account 123456789012 - Ensure security group ingress doesn't allow 0.0.0.0/0 to port 22 | aws.security-group |
| redis-are-in-transit-encrypted | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are In-Transit encrypted | elasticache-group |
| iam-policies-attached-to-groups-roles | Account 123456789012 - Ensure IAM policies are attached only to groups or roles | aws.iam-user |
| aws-security-group-default-deny | Account 123456789012 - Ensure the default security group of every VPC restricts all traffic | aws.security-group |
| es-encryption-at-rest | Account 123456789012 - Amazon Elasticsearch Service Domains Should Have Encryption At Rest Enabled | aws.elasticsearch |
| rest-api-gateway-stage-logging-enabled | Account 123456789012 - API Gateway Stage Logging Should Be Enabled | rest-stage |
| eip-attached | Account 123456789012 - Ensure EIP allocated to VPC are attached to EC2 instances or in-use ENIs | network-addr |
| iam-user-unused-credentials | Account 123456789012 - Ensure user credentials unused for 90 days are disabled/deleted | aws.iam-user |
| rds-instance-enhance-monitoring-enable | Account 123456789012 - Ensure Enhance monitoring is enabled for RDS Database Instance | rds |
| waf-enabled | Account 123456789012 - Ensure Waf enabled on ALB | app-elb |
| r-unused-ec2-eips-removed | Account 123456789012 unused ec2 eip's should be removed | aws.elastic-ip |
| no-managed-policies-attached-iam-users-directly | Account 123456789012 - Ensure no Managed Policies are attached to IAM Users directly | iam-user |
| r-redshift-automatic-snapshots-enabled | Account 123456789012 - Amazon Redshift Clusters Should Have Automatic Snapshots Enabled | redshift |
| rds-automatic-minor-version-upgrades-enabled | Account 123456789012 - RDS Automatic Minor Version Upgrades Should Be Enabled | aws.rds |
| a-elbv2-accesslog-enabled-check | Account 123456789012 - ELBv2 Accesslog Enabled Check | app-elb |
| flow-logs-are-enabled-in-all-region | Account 123456789012 - Ensure VPC flow logging is enabled in all VPCs | vpc |
| a-security-groups-unused | Account 123456789012 - Ensure no unused security groups exists | aws.security-group |
| r-s3-bucket-encryption-set | Account 123456789012 - Ensure S3 bucket encryption is enabled | s3 |
| redis-has-multi-az-failover-enabled | Account 123456789012 - Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature is set to enabled | elasticache-group |
| vpc-sg-opened-only-to-authorized-ports | Account 123456789012 - Ensure security group doesn't have 0.0.0.0/0 ingress except for port 443 | aws.security-group |
| sagemaker-endpoint-configuration-encryption | Account 123456789012 - SageMaker Endpoint Configuration Encryption Should Be Enabled | aws.sagemaker-endpoint-config |
| r-redshift-automatic-upgrades-major-versions-enabled | Account 123456789012 - Amazon Redshift Should Have Automatic Upgrades To Major Versions Enabled | aws.redshift |
| route53-domain-is-not-expired-high | Account 123456789012 - Ensure AWS Route 53 Registered domain is not expired | r53domain |
| unused-iam-with-password-ak-deleted | Account 123456789012 User has no password, User has no ak/sk and User is older than 7 days deleted | iam-user |
| cloudfront-distribution-origin-access-identity-enabled | Account 123456789012 - CloudFront distributions should have origin access identity enabled | aws.distribution |
| es-least-three-data-nodes | Account 123456789012 - Elasticsearch domains should have at least three data nodes | aws.elasticsearch |
| aws-lambda-env-vars-encrypted-at-rest | Account 123456789012 - Ensure AWS Lambda env vars encrypted at rest | aws.lambda |
| rds-backup-enabled | Account 123456789012 - RDS DB Instance Backup Should Be Enabled | aws.rds |
| es-node-to-node-encryption-enabled | Account 123456789012 - Ensure AWS Elasticsearch Service domains are using the latest version of Elasticsearch engine | elasticsearch |
| elasticache-memcache-not-using-default-ports | Account 123456789012 - Ensure that AWS ElastiCache Memcached clusters are not using 11211 port | cache-cluster |
| iam-policies-in-use | Account 123456789012 - Ensure IAM policy are in use | iam-policy |
| cloudfront-distributions-require-encryption-transit | Account 123456789012 - CloudFront distributions should require encryption in transit | aws.distribution |
| s3-account-level-public-access-blocks | Account 123456789012 - Ensure Account level S3 public access block is enabled | aws.account |
| es-has-enabled-slow-logs-to-cw-logs | Account 123456789012 - Ensure AWS Elasticsearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs | elasticsearch |
| aws-log-group-missing-retention-days | Account 123456789012 - Ensure log groups have retention period set | aws.log-group |
| rds-instance-encryption-enable | Account 123456789012 - Ensure Encryption is enabled for the database Instance | rds |
| r-sns-encrypted-at-rest | Account 123456789012 - Set Encryption On SNS topics | aws.sns |
| dynamodb-encrypted-aws-kms | Account 123456789012 - DynamoDB table should be encrypted with AWS KMS | aws.dynamodb-table |
| r-delete-igw-unattached-vpc | Account 123456789012 - Delete internet gateways unattached vpc | internet-gateway |
| no-root-account-access-key-exists | Account 123456789012 - Ensure no root account access key exists | account |
| aws-config-is-enabled-in-all-regions | Account 123456789012 - Ensure AWS Config is enabled in all regions | account |
| elasticache-clusters-in-transit-encrypted | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are In-Transit encrypted | elasticache-group |
| rds-instance-deletion-protection-enable | Account 123456789012 - Ensure Deletion Protection is enabled for RDS DB Instance | rds |
| iam-policy-no-statements-with-admin-access | Account 123456789012 - Ensure IAM policy with no statements with admin access | iam-policy |
| a-elb-classic-connection-draining-check | Account 123456789012 - ELB Connection Draining Check | elb |
| cmk-expiry-set-with-ext-key-material | Account 123456789012 - Ensure that the key expiry is set for CMK with external key material | kms-key |
| iam-allow-all-policy-alert | Account 123456789012 - Ensure IAM policies that allow full administrative privileges are not created | iam-policy |
| cloudtrail-integrated-cloudwatch-logs | Account 123456789012 - Ensure CloudTrail trails are integrated with CloudWatch Logs | cloudtrail |
| a-wafv2-logging-enabled | Account 123456789012 - Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) | aws.wafv2 |
| a-sns-encrypted-at-rest | Account 123456789012 - SNS topics should be encrypted at rest using AWS KMS | aws.sns |
| cloudtrail-logs-are-encrypted-using-kms-cmk | Account 123456789012 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs | aws.cloudtrail |
| a-elb-classic-crosszone-check | Account 123456789012 - ELB CrossZone Check | elb |
| aws-lambda-tracing-is-enabled | Account 123456789012 - Ensure AWS lambda tracing is enabled. | aws.lambda |
| rest-api-gateway-stages-ssl-backend-auth | Account 123456789012 - API Gateway REST API stages should be configured to use SSL certificates for backend authentication | rest-stage |
| s3-bucket-versioning-medium | Account 123456789012 - Ensure versioning is enabled for S3 buckets | s3 |
| es-least-three-dedicated-master-nodes | Account 123456789012 - Elasticsearch domains should be configured with at least three dedicated master nodes | aws.elasticsearch |
| r-apigateway-caching-verify | Account 123456789012 - API Gateway stage caching verify | rest-stage |
| cloudfront-distribution-logging-enabled | Account 123456789012 - CloudFront distribution should have logging enabled | aws.distribution |
| elb-custom-security-policy-ssl-check | Account 123456789012 - Ensure Classic LB SSL listeners are using custom policy | elb |
| iam-password-policy-best-practices | Account 123456789012 - IAM Password Policy Best Practices | account |
| aws-log-group-encryption-at-rest | Account 123456789012 - Log group encryption at rest should be enabled | aws.log-group |
| efs-encryption-has-cmk-for-data-at-rest | Account 123456789012 - Ensure CMK is used to encrypt data at rest for EFS | efs |
| elasticache-automatic-backup-retention-period-15 | Account 123456789012 - ElastiCache Redis Cluster Automatic Backup Should Be Enabled With Retention Period Of 15 days Or Greater | elasticache-group |
| aws-iam-ssl-tls-expired-certs-alert | Account 123456789012 - SSL/TLS Certificate that are already expired | iam-certificate |
| dms-instance-not-publicly-accessible | Account 123456789012 - DMS replication instances should not be publicly accessible | aws.dms-instance |
| r-redshift-enhanced-vpc-routing-enabled | Account 123456789012 - Amazon Redshift Clusters VPC Routing Enabled | redshift |
| ec2-instance-detailed-monitoring-enabled | Account 123456789012 - EC2 instance detailed monitoring should be enabled | ec2 |
| rest-api-gateway-stage-associated-aws-waf-web-acl | Account 123456789012 - API Gateway Should Be Associated With An AWS WAF Web ACL | rest-stage |
| ami-owned-by-an-aws-account-are-encrypted | Account 123456789012 - Ensure AMIs owned by an AWS account are encrypted | ami |
| s3-public-rw-prohibited | Account 123456789012 - Ensure S3 bucket prohibite public read or write access | s3 |
| rds-cluster-deletion-protection-enable | Account 123456789012 - Ensure Deletion Protection is enabled for RDS DB Cluster | rds-cluster |
| ec2-instance-ebs-optimization-enabled | Account 123456789012 - EC2 instance should have EBS optimization enabled | ec2 |
| root-account-hardware-mfa-enabled-check | Account 123456789012 - Ensure hardware MFA is enabled for the root account | account |
| cloudFront-distributions-default-root-object | Account 123456789012 - CloudFront Distributions Should Have A Default Root Object Configured | aws.distribution |
| iam-access-key1-rotated-45-days-or-less | Account 123456789012 - Ensure access key1 is rotated every 45 days or less | iam-user |
| acm-certificate-expiration-check | Account 123456789012 - ACM certificates about to expire in 14 days | acm-certificate |
| no-key-pair-present-in-aws-account | Account 123456789012 - Ensure no key pair present in aws account. | aws.key-pair |
| password-policy-check-pwd-reuse-prevention | Account 123456789012 - Ensure that the IAM Password Policy prevents a new password from being the same as the last 6 passwords. | aws.account |
| aws-log-group-retention-not-less-than-year | Account 123456789012 - Ensure log groups have retention period at least a year | aws.log-group |
| unrestricted-common-ports | Account 123456789012 - Ensure SG ingress doesn't allow 0.0.0.0/0 to ports 20,21,22,139,445,3306 or 3389 | aws.security-group |
| es-encrypted-tls-1-2 | Account 123456789012 - Connections to Elasticsearch domains should be encrypted using TLS 1.2 | aws.elasticsearch |
| aws-log-group-missing-retention-days-remediate | Account 123456789012 - Ensure log groups have retention period set | aws.log-group |
| elasticache-redis-not-using-default-ports | Account 123456789012 - Ensure that AWS ElastiCache redis clusters are not using 6379 port | elasticache-group |
| iam-90-days-unused-keys | Account 123456789012 - Ensure access keys are unused for 90 days are disabled/deleted | iam-user |
| redis-clusters-are-encrypted-at-rest | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted | elasticache-group |
| r-redshift-encryption-enabled | Account 123456789012 - Redshift cluster audit logging and encryption should be enabled | aws.redshift |
| r-redshift-prohibit-public-access | Account 123456789012 - Amazon Redshift Clusters Should Prohibit Public Access | aws.redshift |
| copy-tags-volume-to-ebs-snapshots | r-ebs-snapshots-create-encrypted | Account 123456789012 - copy tags volume to ebs snapshots |
| Account 123456789012 - Create encrypted ebs snapshot remove unencrypted ebs | ebs-snapshot | ebs-snapshot |
| a-lambda-should-in-vpc | Account 123456789012 - Lambda functions should be in a VPC | lambda |
| cloudwatch-alarm-action-should-be-enabled | Account 123456789012 - CloudWatch alarm action should be enabled | aws.alarm |
| a-rds-aurora-clusters-backtracking-enabled | Account 123456789012 - Amazon Aurora clusters should have backtracking enabled | rds-cluster |
| internet-gateway-authorized-vpc-only | Account 123456789012 - Ensure Internet Gateway has authorized VPC | internet-gateway |
| a-elb-accesslog-enabled-check | Account 123456789012 - ELB Accesslog Enabled Check | elb |
| rds-cluster-encryption-enable | Account 123456789012 - Ensure Encryption is enabled for the RDS cluster | rds-cluster |
| dynamodb-point-in-time-recovery | Account 123456789012 - DynamoDB Table Point-In-Time Recovery Should Be Enabled | aws.dynamodb-table |
| redshift-cluster-public-access-check | Account 123456789012 - Ensure Redshift Cluster are not publicly accessible | redshift |
| kms-cmk-marked-for-deletion | Account 123456789012 - Ensure KMS CMK is not marked for deletion | kms-key |
| vpc-default-security-group-closed | Account 123456789012 - Ensure default security group of any VPC does not allow inbound or outbound traffic | aws.security-group |
| s3-mfa-delete-enabled | Account 123456789012 - Ensure MFA Delete Is Enabled On S3 Buckets | aws.s3 |
| r-apigateway-stage-cache-data-encrypted | Account 123456789012 - API Gateway REST API cache data should be encrypted at rest | rest-stage |
| r-elbv2-enabled-drop-http-headers | Account 123456789012 - ELBv2 Enabled Drop HTTP Headers | app-elb |
| efs-encryption-is-enabled-for-data-at-rest | Account 123456789012 - Ensure EFS Encryption is enabled for data at rest | efs |
| a-sagemaker-notebook-encryption | Account 123456789012 - Sagemaker Notebook Instance Encryption Missing. | aws.sagemaker-notebook |
| elasticsearch-node-to-node-encryption | Account 123456789012 - Ensure Elasticsearch has node to node encryption enabled | aws.elasticsearch |
| r-s3-enable-versioning | Account 123456789012 - s3 enable versioning | s3 |
| r-rest-api-gateway-stages-x-ray-tracing-enabled | Account 123456789012 - API Gateway REST API Stages should Have AWS X-Ray Tracing Enabled | rest-stage |
| r-elb-delete-unused | Account 123456789012 - Delete unused ELB | elb |
| redshift-cluster-tls-ssl-check | Account 123456789012 - Ensure Redshift Cluster require_ssl is not false | redshift |
| es-node-to-node-encryption-enabled | Account 123456789012 - Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service domains | elasticsearch |
| s3-access-logging-is-enabled | Account 123456789012 - Ensure Server access logging is enabled | s3 |
| a-redshift-audit-logging-enabled | Account 123456789012 - Redshift Cluster Audit Logging Should Be Enabled | aws.redshift |
| cloudtrail-is-enabled-all-region | Account 123456789012 - Ensure CloudTrail is enabled in all regions | aws.cloudtrail |
| r-aws-lambda-tracing-is-enabled | Account 123456789012 - Ensure AWS lambda tracing is enabled. | aws.lambda |
| root-account-hardware-mfa-enabled-check | Account 123456789012 - Ensure hardware MFA is enabled for the root account | account |
| a-rds-cluster-snapshot-shared-with-account | Account 123456789012 - Ensure RDS cluster snapshot is not shared with any aws account | rds-cluster-snapshot |
| a-elasticache-snapshot-copies-to-s3 | Account 123456789012 - Ensure Elasticache snapshot is not copied to S3 Bucket | cache-snapshot |
| a-rds-public-snapshot | Account 123456789012 - Ensure RDS Snapshot is not shared with public | rds-snapshot |
| a-rds-instance-access-to-public | Account 123456789012 - Ensure RDS instances are not publicly accessible | rds |
| a-s3-bucket-settings-for-public-is-set | Account 123456789012 - Ensure bucket settings are proper for public access | s3 |
| a-route53-has-autorenew-enabled | Account 123456789012 - Ensure AWS Route 53 domains have AutoRenew enabled | r53domain |
| a-s3-deny-bucket-policy-grant-access-to-all | Account 123456789012 - S3 Bucket Policy deny Access to Everyone | s3 |
| a-ec2-ami-creation-alert | Account 123456789012 - AMI Creation alert | ami |
| a-ec2-public-ami | Account 123456789012 - Ensure AMIs are not shared with public | ami |
| a-ec2-unattached-ebs-are-encrypted | Account 123456789012 - Ensure unattached EBS volumes are encrypted | ebs |
| a-ec2-public-ebs-snapshot | Account 123456789012 - Ensure EBS snapshot is not publicly accessible | ebs-snapshot |
| a-s3-server-side-encryption-is-enabled-for-s3-bucket | Account 123456789012 - Ensure Server Side Encryption is enabled | s3 |
| a-s3-bucket-acl-grant-access-to-all-or-auth-users | Account 123456789012 - S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users | s3 |
| ami-shared-with-other-account | Account 123456789012 - Ensure AMI is not shared with any aws account | ami |
| a-rds-public-cluster-snapshot | Account 123456789012 - Ensure RDS Cluster Snapshot is not shared with public | rds-cluster-snapshot |
| a-s3-access-logging-is-enabled-for-s3-buckets | Account 123456789012 - Ensure Server access logging is enabled | s3 |
| a-s3-versioning-is-enabled-for-s3-buckets | Account 123456789012 - Ensure versioning is enabled for S3 buckets | s3 |
| a-ec2-ebs-snapshot-shared-with-account | Account 123456789012 - Ensure EBS snapshot is not shared with any aws account | ebs-snapshot |
| a-redshift-snapshot-shared-with-account | Account 123456789012 - Ensure Redshift Cluster Snapshot is not shared with another account | redshift-snapshot |
| a-route53-reg-domain-has-transfer-lock | Account 123456789012 - Ensure AWS Route 53 Registered domain has Transfer lock enabled | r53domain |
| r-ec2-ami-shared-with-account | Ensure public launch permission from AMI are removed | ami |
| a-rds-snapshot-shared-with-account | Account 123456789012 - Ensure RDS snapshot is not shared with any aws account | rds-snapshot |
| a-iam-mfa-enable-users-with-console-password | Account 123456789012 - Ensure MFA must be enabled for all user accounts that have a console password. | aws.iam-user |
| a-firehose-delivery-stream-encryption-sse-configured | Account 123456789012 - Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured | firehose |
| a-s3-bucket-settings-for-public-is-set | Account 123456789012 - Ensure bucket settings are proper for public access | s3 |
| a-redis-clusters-are-encrypted-with-cmk | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted with CMK | elasticache-group |
| a-elb-clb-is-not-using-unencrypted-protocol | Account 123456789012 - Classic ELB is using unencrypted protocol | elb |
| a-redis-clusters-are-auth-enabled | Account 123456789012 - Ensure AWS ElastiCache Redis cluster with Redis AUTH feature is enabled | elasticache-group |
| r-s3-server-side-encryption-is-enabled | Account 123456789012 - Ensure Server Side Encryption is enabled | s3 |
| a-firehose-delivery-stream-encryption-config-has-cmk | Account 123456789012 - Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured with KMS Customer Managed Keys | firehose |
| r-security-group-default-sg-remove-permissions | Account 123456789012 - Ensure default security group of any VPC does not allow inbound or outbound traffic | security-group |
| a-s3-acl-access-to-all-or-auth-users | Account 123456789012 - S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users | s3 |
| a-s3-deny-bucket-policy-access-to-all | Account 123456789012 - S3 Bucket Policy deny Access to Everyone | s3 |
| r-s3-policy-enforces-encryption-in-transit | Account 123456789012 - Ensure that bucket policy enforces encryption in transit | s3 |
| a-elb-listener-is-not-using-unencrypted-protocol | Account 123456789012 - Ensure ELB are not using unencrypted protocol | app-elb |
| r-security-group-unused-sg-remove | Account 123456789012 - Ensure remove unused security group | security-group |
| r-enable-vpc-flowlog-on-vpcs | Account 123456789012 - Ensure that each VPC has VPC FlowLogs enabled | vpc |
| a-s3-server-side-encryption-is-enabled | Account 123456789012 - Ensure Server Side Encryption is enabled | s3 |
| r-cloudwatch-set-log-group-retention | Account 123456789012 - Set log group retention on cloudwatch | log-group |