Compliance
HIPAA
Ensure IAM policies that allow full *-* administrative privileges are not created
Ensure IAM policies that allow full *-* administrative privileges are not created
- Restricting the creation of IAM policies that allow full ”-” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions.
- Without this policy, there could be unrestricted access across all services within the AWS environment, increasing the risk of inadvertent modifications or deletions, possibly leading to business disruption, data loss or service unavailability.
- Overly permissive IAM policies could potentially open up avenues for security breaches. A hacker who gains access to these permissions could take control of the entire AWS account, stealing sensitive information, or injecting malicious code.
- Imposing this security policy encourages the adoption of role-based access control (RBAC), increasing accountability and enforceability. This can help an organization monitor and audit user actions more effectively and detect policy violations promptly.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)
Ensure ALB protocol is HTTPS
Ensure ALB protocol is HTTPS
- Ensuring ALB protocol is HTTPS improves data security during transmission between the client and the server, as HTTPS uses encryption to protect data from getting intercepted or altered.
- This policy will help organisations comply with data privacy laws and regulations that require encryption of sensitive data in transit, potentially safeguarding against legal penalties and reputational damage.
- Non-compliance with this policy could expose traffic to man-in-the-middle (MITM) attacks, where an attacker intercepts and potentially modifies traffic passing between two parties without them knowing.
- Implementing this policy could enhance customer trust, given that web browsers alert or even block users from accessing sites and services not using HTTPS. This could ultimately contribute to user retention and satisfaction.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure all data stored in the Elasticsearch is securely encrypted at rest
Ensure all data stored in the Elasticsearch is securely encrypted at rest
- This policy helps to protect sensitive information from unauthorized access by encrypting all data at rest in Elasticsearch. This adds an extra layer of security, making it difficult for intruders to read and utilize the data if they somehow get access to storage.
- Ensuring encryption at rest for Elasticsearch data can help organizations comply with regulatory standards like GDPR or HIPAA, which require specific measures for protecting data and may result in penalties if not followed.
- Implementing this policy would also improve system reliability by minimizing the potential attack surface for exploits that can steal unprotected data, thereby adding an extra layer of defense against data breaches and leaks.
- Encrypting data at rest can also prevent data corruption, as encryption can add redundancy checks that ensure data integrity and prevent accidental alterations or deletions. This could potentially save the organization from enormous reparation costs and loss of customer confidence.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure all Elasticsearch has node-to-node encryption enabled
Ensure all Elasticsearch has node-to-node encryption enabled
- Ensuring all Elasticsearch nodes have node-to-node encryption enabled provides an additional security layer against unauthorized access and data breaches. Without node-to-node encryption, the data transmitted between Elasticsearch nodes could be intercepted and read, posing a significant security risk.
- Enabling node-to-node encryption in Elasticsearch helps organizations meet compliance requirements. Many industries have regulations that mandate the encryption of data both in transit and at rest, so enabling this feature can help companies in regulated industries stay within compliance guidelines.
- Configuring Elasticsearch without node-to-node encryption may lead to data leakage, providing cybercriminals with sensitive information. Once the information has been leaked, it can have severe effects on both the organization’s reputation and its financial status.
- Implementing this policy can prevent potential network eavesdropping attacks by encrypting communication between Elasticsearch nodes. This kind of attack can be conducted by an attacker with access to the network to intercept and even potentially manipulate data packets being transmitted between nodes.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(c)(1)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one number
- This policy enhances the security of IAM user accounts by requiring the inclusion of at least one numerical character in the password, making it harder for unauthorized users to guess or crack passwords.
- By implementing this policy via Terraform, it can be ensured that it is applied consistently across the infrastructure, reducing the risk of human error and maintaining the necessary security standard.
- It supports the best practice of password complexity to secure sensitive data and resources in an AWS environment and helps organizations comply with certain regulatory standards that dictate strong password policies.
- The policy can potentially deter or slow down brute-force attacks that guess passwords, as the attackers have to try a larger combination of possibilities, therefore increasing the security of IAM accounts.
- The check violates the following HIPAA rules:
- 164.308(a)(4)(ii)(B)
- 164.308(a)(5)(ii)(D)
- 164.312(d)
- 164.314(b)(2)(i)
Ensure IAM password policy prevents password reuse
Ensure IAM password policy prevents password reuse
- The policy ensures that users can’t reuse old passwords, thereby reducing the risks related to compromised passwords. If a hacker gets access to old passwords, they won’t be able to use them.
- This policy improves the security posture of the AWS IAM, as enforcing unique passwords for accounts requires users to constantly change and update their passwords, making it difficult for unauthorized users to gain access.
- Enforcing a no password reuse policy encourages the use of strong and unique passwords among users. This, in turn, makes the system more secure by hardening authentication processes.
- It fosters better password management practices among users, leading to a culture of security consciousness and vigilance against potential cybersecurity threats.
- The check violates the following HIPAA rules:
- 164.308(a)(4)(ii)(B)
- 164.308(a)(5)(ii)(D)
- 164.312(d)
- 164.314(b)(2)(i)
Ensure all data stored in the RDS is securely encrypted at rest
Ensure all data stored in the RDS is securely encrypted at rest
- Encrypting data at rest in the RDS helps prevent unauthorized users and malicious actors from illegally accessing sensitive information, thereby significantly enhancing the security of the database.
- In the event of a security breach or intrusion, encryption ensures that the stolen data is unreadable and essentially useless, further protecting customer data and other essential business information.
- Using secure encryption methods in RDS as prescribed by the policy ensures compliance with various regulations pertaining to data security, such as GDPR or HIPAA, which in turn can save the organization from hefty fines and legal implications.
- Encryption policies like this mitigates risks related to data exfiltration or leakage, which can cause reputational damage, financial losses, and loss of customer trust for the business, thus maintaining the integrity of business operations.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure all data stored in RDS is not publicly accessible
Ensure all data stored in RDS is not publicly accessible
- This policy safeguards sensitive information by ensuring no unauthorized users can access the data stored in RDS, thereby reducing the risk of data breaches and maintaining the confidentiality and integrity of the data.
- It helps in mitigating potential legal and financial repercussions. If sensitive data such as personal identifiable information (PII) gets breached, the company might face heavy penalties and damage of reputation.
- Enforcing this policy aligns with the best practices for data security in cloud computing environments, especially within AWS, fostering trust among stakeholders, clients and regulatory bodies.
- By automatically blocking public access through Infrastructure as Code (IaC) methods like Cloudformation, the policy minimizes human error and the risk associated with manual configuration adjustments, thus enhancing the overall security posture of the cloud environment.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure the S3 bucket has access logging enabled
Ensure the S3 bucket has access logging enabled
- Enabling access logging for the S3 bucket provides detailed records for the requests made to this bucket. This is essential as it helps track any changes made to the bucket and allows for easy tracing of the activities in the event of security breaches or for general auditing.
- It helps protect against unauthorized access or data breaches by keeping track of all the access requests including the source, time of access, the object that was accessed, and the action performed. Identifying any unexpected behavior or malicious activity becomes more efficient.
- This access log can serve as a research base when working towards compliance with different standards or legal requirements. Companies with significant regulatory burdens can use these logs to establish patterns, corroborate events, or provide evidence in support of an investigation.
- This policy will also provide a hindsight into the bucket’s typical usage patterns and help identify any unnecessary or redundant access actions. Such an understanding can lead to optimization of operations and cost management in relation to data storage and management in an AWS environment.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.312(b)
Ensure the S3 bucket has server-side-encryption enabled
Ensure the S3 bucket has server-side-encryption enabled
- Server-side encryption for S3 buckets adds an additional layer of protection to the data by encrypting it as soon as it arrives at the server, providing data security during transit and while at rest, thereby reducing the risk of unauthorized data access.
- It aids in meeting compliance requirements for data sensitivity and privacy, such as the GDPR and HIPAA, which mandate that data stored in the cloud must be encrypted.
- It helps to prevent data breaches and the potential financial and reputational damage that might result, offering an extra safeguard against hackers and minimizing the possibility of sensitive data being compromised.
- Without this policy in place, essential encrypted data storage standards may be overlooked, leading to unprotected cloud storage, ease of access for hackers, and potential data loss.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(c)(2)
- 164.312(c)(2)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure the S3 bucket does not allow READ permissions to everyone
Ensure the S3 bucket does not allow READ permissions to everyone
- This policy is important because it prevents unauthorized access to sensitive information stored in your S3 buckets. If read permissions are allowed to everyone, anyone can access and download the data, leading to potential data leakage or breaches.
- This policy’s impact is to significantly enhance the security of S3 buckets by enforcing access control measures. It ensures that only authorized personnel can have access to the data stored in the buckets.
- It promotes the principle of least privilege, a standard security practice which recommends that users be given the minimum levels of access necessary to perform their job functions, thereby reducing the risk of accidental or malicious misuse of sensitive information.
- If the policy is not implemented, it could lead to non-compliance with various data protection regulations like GDPR, HIPAA among others which can result in significant legal fines and reputation damage to the organization.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
- 164.314(b)(1)
- 164.314(b)(2)
Ensure the S3 bucket has versioning enabled
Ensure the S3 bucket has versioning enabled
- Enabling versioning on an S3 bucket ensures easy recovery in case of a data loss situation, as all previous versions of an object are preserved, thus making it important for data integrity and continuity.
- Without versioning, any accidental deletions, overwrites, or incorrect modifications made to objects within the bucket are permanent. Therefore, its implementation increases the level of resilience against human errors and system failures, providing an extra layer of data protection.
- The policy is crucial for disaster recovery strategies as versioning allows rollback to a specific version in the event of a security incident, such as ransomware attack or malicious deletion, thus ensuring the availability of data when needed.
- Enabling versioning can also contribute towards meeting compliance requirements where maintaining an audit trail and historical data is mandated. This ultimately results in improved accountability and the ability to perform in-depth investigations when necessary.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(i)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.308(a)(7)(ii)(B)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
- 164.312(a)(2)(ii)
- 164.312(c)(1)
- 164.312(c)(2)
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
- This policy aims to safeguard sensitive data processed or stored in the SageMaker Notebook by encrypting it at rest using Key Management Service (KMS) Customer Master Key (CMK), reducing the risk of unauthorized access or data exposure.
- Encryption using KMS CMK provides an additional layer of security beyond the default AWS managed keys, as the customer has direct control over the CMK, including its rotation and revocation, increasing data security and compliance standards.
- Failing to use encryption at rest could result in non-compliance with data protection regulations and organizations might face hefty fines or other legal consequences.
- This policy also supports Infrastructure as Code (IaC) practices by leveraging Terraform scripts for resource implementation, allowing efficient deployment, versioning, and management of the AWS resources and security settings.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure all data stored in the SNS topic is encrypted
Ensure all data stored in the SNS topic is encrypted
- This policy guarantees that all data stored in the Simple Notification Service (SNS) topic is encrypted, meaning even if the data is intercepted, it cannot be read without decryption access. This offers an extra layer of security and protection against data breaches.
- Without the added security of this policy, unauthorized users may easily read intercepted data, resulting in potential privacy issues, sensitive data leakage, and non-compliance penalties.
- By encoding the data stored in the SNS topic, it also helps maintain the integrity of the information. The encryption acts as a barrier against tampering, as illegitimate changes to the data would be apparent when it’s decrypted.
- Enforcing this policy leverages AWS SNS’s encryption capabilities and helps organizations meet regulatory and compliance requirements for data protection, increasing their credibility and trustworthiness in the eyes of customers and other stakeholders.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure DynamoDB point in time recovery (backup) is enabled
Ensure DynamoDB point in time recovery (backup) is enabled
- Enabling DynamoDB point in time recovery (backup) ensures data resilience by providing protection against inadvertent write or delete operations. If tables are accidentally deleted or modified, the changes can be reversed, maintaining data integrity.
- It results in operational efficiency and financial savings by negating the need for manual backups or having to recreate data due to any accidental loss. The entire backup and restore process gets automated, reducing the administrative efforts.
- Compliance to industry standards like GDPR, HIPAA, and PCI DSS may require businesses to maintain databases with backup and restore capabilities. Using DynamoDB point in time recovery helps meet these regulatory requirements and avoid potential legal issues.
- Mistaken deletions or catastrophic events can lead to serious business disruptions. Activating the point in time recovery feature for DynamoDB acts as a safety net, ensuring businesses continuity and reputation management.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail log file validation is enabled
- Ensuring CloudTrail log file validation is enabled provides an additional layer of security by verifying that the CloudTrail logs have not been tampered with. This safeguard helps maintain the integrity of logs and the reliability of audit activities in the AWS environment.
- This policy is critical because log file validation allows for the detection of unauthorized changes to log files. If a log file is modified, deleted, or moved from its original location, it will fail validation, notifying admins about potential security breaches.
- The enabled log file validation policy contributes to establishing a robust security posture in AWS. It supports compliance with industry security standards and regulations that require monitoring and logging of activities in the IT infrastructure.
- It can prevent potential data loss situations. If a CloudTrail log file is inadvertently modified or deleted, the log record remains intact because it retains a copy of the content. This policy helps to ensure traceability and accountability of actions made in the AWS environment.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(c)(1)
- 164.312(c)(2)
Ensure EFS is securely encrypted
Ensure EFS is securely encrypted
- Ensuring that EFS (Elastic File System) is securely encrypted helps protect sensitive data stored in the AWS EFS, providing an extra layer of safety against unauthorized access and data breaches.
- Enforcing this policy can significantly enhance the security posture of the AWS environment since EFS, primarily used for sharing data across multiple instances, without encryption, can expose sensitive data to potential eavesdropping activities.
- Compliance with regulations: Many industries and jurisdictions have mandatory data protection laws and regulations that require encryption-at-rest for certain types of data. Implementing EFS encryption ensures compliance with such regulatory requirements.
- This policy, implemented via Infrastructure as Code (IaC) such as Cloudformation, enables automated, repeatable, and scalable encryption process which will reduce manual errors and overhead of manual configuration, thus improving efficiency while assuring compliance continuously.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure Kinesis Stream is securely encrypted
Ensure Kinesis Stream is securely encrypted
- Ensuring Kinesis Stream encryption is crucial because it protects sensitive data from unauthorized access and breaches by encrypting all the data records using AWS Key Management Service (KMS) keys.
- It safeguards the confidentiality and integrity of the data transmitted through the stream, thereby ensuring that information isn’t compromised if intercepted during transit or at rest.
- Implementing this policy via Infrastructure as Code (IaC) using Cloudformation allows for better scalability, manageability, and consistency, preventing misconfigurations that could leave the data vulnerable.
- Non-compliance to this policy could lead to regulatory fines if found in violation of standards like GDPR or HIPAA, which require robust measures for protection of personal data.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure no IAM policies documents allow * as a statement's actions
Ensure no IAM policies documents allow * as a statement's actions
- This policy ensures that overly broad permissions aren’t given out, which could lead to unauthorized access. By stopping the usage of ”*” as a statement’s actions in IAM policies, it ensures that permissions are granted only to specific resources and actions.
- Enforcing this rule prevents potential misuse or exploitation, reducing the risk of a major data breach. If compromised, an overly permissive policy can lead to substantial damage inside the AWS Infrastructure.
- Ensuring no IAM policies allow ”*” as a statement’s actions promotes the best practice of least privilege, meaning that users, roles, or services are granted only the minimum permissions necessary to perform their tasks. This significantly minimizes the potential impact if a security breach does occur.
- An IAM policy that allows ”*” as a statement’s actions is not compliant with industry standards and regulatory frameworks such as ISO 27001, PCI-DSS, or GDPR, potentially leading to legal implications and penalties. The enforcement of this rule keeps the infrastructure compliant.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)
Ensure S3 bucket has block public ACLs enabled
Ensure S3 bucket has block public ACLs enabled
- Enabling block public ACLs on S3 buckets mitigates the risk of inadvertent data exposure by preventing public access via bucket ACLs, a type of access control list applied to S3 buckets.
- This policy strengthens the defense-in-depth strategy for protecting sensitive data by adding another layer of security which prevents public read/write access permissions regardless of other permissions.
- Non-conformance with this policy could expose the organization to potential security threats like unauthorized data access, data leakage, or even loss of sensitive data which could lead to legal compliance issues and financial losses.
- The configuration for blocking public ACLs can be automated and checked using infrastructure as code (IaC) tools such as CloudFormation, ensuring continuous and consistent application of security controls across all S3 buckets in AWS.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.314(b)(2)(i)
Ensure S3 bucket has ignore public ACLs enabled
Ensure S3 bucket has ignore public ACLs enabled
- Enabling the “Ignore Public ACLs” on S3 buckets helps maintain data privacy and confidentiality by preventing unauthorized public access to the bucket and its data, which could otherwise lead to data breaches.
- This policy ensures that even if erroneous permissions are set in future, AWS will ignore public ACLs and prevent inadvertent data exposure, thus adding an extra layer of protection for your sensitive data.
- It supports regulatory compliance efforts by organizations, as it aligns with data privacy laws and regulations that forbid unauthorized data access.
- Lack of the “Ignore public ACLs” policy can negatively impact the data integrity and business reputation because cybercriminals or hackers can easily access or manipulate sensitive data stored in the buckets.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(2)(iv)
- 164.312(c)(2)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure the S3 bucket does not allow WRITE permissions to everyone
Ensure the S3 bucket does not allow WRITE permissions to everyone
- This policy aims to prevent unauthorized users from altering or deleting existing data in an S3 bucket, thus maintaining the integrity of the stored data. WRITE permissions given to everyone can potentially lead to unauthorized modifications or data breaches.
- Unrestricted WRITE permissions could allow an attacker or malicious user to upload inappropriate or harmful content to a company’s S3 bucket, which can lead to legal and reputational damage for the company.
- WRITE permissions for everyone can lead to an overflow of unintended or malicious data. This could result in unwanted costs due to increased data storage and needless data traffic.
- Ensuring that S3 buckets do not allow WRITE permissions to everyone, helps in maintaining a robust security architecture for the infrastructure. It puts a protective layer to safeguard business-critical and sensitive information stored in the S3 buckets.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
- 164.314(b)(1)
- 164.314(b)(2)
Ensure no IAM policies that allow full *-* administrative privileges are not created
Ensure no IAM policies that allow full *-* administrative privileges are not created
- This policy is crucial in limiting the blast radius in the event of a security compromise. If an IAM entity with the ”-” permission set is compromised, attackers can have unrestricted access to all AWS resources and services leading to potential data compromise and system damage.
- The policy is also significant for enforcing the least privilege principle which states that a user should have only those privileges which are essential to perform his job function. Granting full administrative privileges unnecessarily increases the attack surface.
- This policy ensures all IAM policies strictly adhere to AWS best practices which discourage overly permissive policies as they can result in unintended resource access, thereby escalating privileges and enhancing opportunities for malicious activities.
- Implementation of this policy supports better audit compliance as it tracks the creation and management of IAM policies, ensuring only necessary permissions are granted. This helps meet regulatory requirements and avoids penalties for non-compliance.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)
Ensure CloudTrail is enabled in all Regions
Ensure CloudTrail is enabled in all Regions
- Enabling CloudTrail in all regions is important as it provides visibility into user activity by recording actions taken on your AWS infrastructure, thereby increasing transparency and accountability.
- This policy aids in detecting unusual or unauthorized activities by allowing you to review detailed CloudTrail event logs that track every API call made across all regions, providing an additional layer of security.
- It facilitates compliance with various regulations by providing an auditable record of all changes and administrative actions on AWS resources across every region, increasing the traceability and meeting various IT governance requirements.
- Disabling CloudTrail in any region could result in not detecting potential security threats in those regions. This could seriously harm the organization’s valuable resources and data, making this policy crucial for maintaining and improving overall security posture.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(5)(ii)(C)
- 164.312(b)
- 164.312(b)
CloudFront Distribution should have WAF enabled
CloudFront Distribution should have WAF enabled
- Enabling WAF (Web Application Firewall) on CloudFront distribution adds an extra layer of protection by inspecting incoming web traffic and providing a shield against common exploits like SQL Injection and Cross-Site Scripting attacks, thus reducing vulnerability.
- As CloudFront is a content delivery service, a security gap may result in congestion, Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks on assets. Enabling WAF helps prevent such threats, maintaining the availability of services.
- The policy ensures regulatory and compliance requirements are met, especially for businesses processing large amounts of sensitive data, by providing necessary safeguards and traffic controls on the edge locations close to the user.
- The policy encourages the use of Infrastructure as Code (IaC), which allows for automated security checks and prevent vulnerabilities right from the development stage. This allows for quicker threat detection and reduces the risk of human error during manual inspections.
- The check violates the following HIPAA rules:
- 164.312(e)(1)
Ensure Redshift Cluster logging is enabled
Ensure Redshift Cluster logging is enabled
- Enabling Redshift Cluster logging helps provide transparency and visibility of actions taken on your AWS Redshift cluster. This allows for the identification, troubleshooting, and resolution of issues in a timely manner.
- This policy aids in the forensics investigation in case of any security breach or data leak in the Redshift cluster. Log files contain crucial information about all queries and sessions executed by the cluster which can be used as evidence in the aftermath of an incident.
- The Redshift Cluster logging is a critical aspect of compliance with various regulations, such as GDPR, HIPAA, and PCI DSS. Organizations can demonstrate they have robust monitoring and auditing mechanisms in place by enabling logging.
- Lastly, by verifying logging via Infrastructure as Code (IaC) in the form of CloudFormation, organizations standardize configurations and prevent accidental logging deactivation. This practice reduces the chances of human error and improves the overall security posture.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(5)(ii)(A)
- 164.308(a)(7)(ii)(A)
- 164.312(a)(1)
- 164.312(a)(2)(iv)
- 164.312(b)
- 164.312(e)(1)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure Elasticsearch Domain Logging is enabled
Ensure Elasticsearch Domain Logging is enabled
- Enabling Elasticsearch Domain Logging is critical as it provides detailed visibility into user activity and system performance, thus making it easier to monitor and diagnose issues within the Elasticsearch environment.
- The policy allows for transparency and traceability, as Elasticsearch Domain Logging stores and organizes logs which can be instrumental in identifying potential security threats, data breaches, or unauthorized access attempts.
- Enforcing this policy improves compliance to regulations and standards, as enabling Domain Logging is a common requirement in many regulatory compliances, thus reducing potential legal and operational risks for businesses.
- By utilizing Infrastructure as Code (IaC) through Cloudformation and referencing the given Python script, the implementation of Elasticsearch Domain Logging becomes streamlined and error-prone manual processes are eliminated, enhancing efficiency and reliability of security measures.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.312(b)
Redshift cluster should not be publicly accessible
Redshift cluster should not be publicly accessible
- Making a Redshift cluster publicly accessible increases the risk of a data breach, as it exposes the database to every network connected to the internet, including potential attackers.
- AWS :: Redshift :: Cluster and aws_redshift_cluster entities contain sensitive data, yet making them publicly accessible inadvertently exposes this data to unauthorized access or malicious activity.
- By keeping the Redshift cluster privately accessible, only authorized devices and users can access and interact with it, thus maintaining the data integrity and confidentiality.
- RedshiftClusterPubliclyAccessible.py is a security check script that ensures Redshift clusters are not made publicly accessible, thereby ensuring the policy is adhered to and preventing potential data leakage and breaches.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(b)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
EC2 instance should not have public IP.
EC2 instance should not have public IP.
- This policy mitigates the potential risk of unauthorized access to the EC2 instances by ensuring that they do not have a public IP address, an important measure given that public IP addresses are accessible from the internet.
- Whence, it significantly reduces the attack surface for potential cyber threats such as data breaches and denial of service attacks.
- By preventing public IP assignment to EC2 instances, the policy indirectly encourages the use of secure connectivity solutions like AWS VPN or AWS Direct Connect for interfacing with these instances, leading to improved security.
- Additionally, this policy aids in orchestrating a better access control by mandating a more controlled access to the instances through private networks or secure gateways rather than open internet.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
DMS replication instance should not be publicly accessible
DMS replication instance should not be publicly accessible
- This policy helps prevent unauthorized access and potential data breaches since it ensures that Database Migration Service (DMS) replication instances aren’t exposed to the public, thereby limiting potential attack vectors from malicious entities.
- By only allowing private access to DMS replication instances, the policy aids in maintaining the integrity and confidentiality of the data during transit by reducing the likelihood of interception.
- The policy promotes adherence to the principle of least privilege, a key security best practice, by restricting access to only necessary and trusted entities which reduces the risk to exposure.
- Non-compliance to this policy could lead to increased costs, reputational damage, and regulatory penalties due to potential breach of privacy laws or regulations, if sensitive data is exposed.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure the ELBv2 (Application/Network) has access logging enabled
Ensure the ELBv2 (Application/Network) has access logging enabled
- Enabling access logging on ELBv2 (Application/Network) provides detailed records of all requests made to the load balancer, thus increasing visibility into traffic patterns, usage, and any potential security risks.
- Access logs can help in identifying patterns and anomalies such as repeated requests from a certain IP, indicating a potential cyber-attack, and thus aids in proactive security monitoring and threat detection.
- The log data can facilitate auditing and compliance efforts by verifying who has accessed the service, when, and what actions were performed, enabling organizations to meet regulatory standards for data accountability and transparency.
- By combining Cloudformation IaC and automatic logging as per the linked resource script, companies can streamline their data governance protocols, creating more efficient methods for monitoring and maintaining secure infrastructure.
- The check violates the following HIPAA rules:
- 164.312(b)
Ensure the ELB has access logging enabled
Ensure the ELB has access logging enabled
- Enabling ELB (Elastic Load Balancer) access logging provides a detailed record of all requests made to a load balancer. This aids in identifying traffic patterns and potential security vulnerabilities, assisting in threat mitigation and capacity planning.
- Application performance optimization becomes more efficient with ELB access logging enabled as it allows fully detailed understanding of the unique characteristics and behaviors of the traffic flowing through the load balancer.
- If an unexpected data breach or unusual activity is detected in a system, the ELB access logs can be used for forensic analysis to track the incident and assess the impact, which helps cybersecurity teams quickly identify and fix security holes.
- Enabling access logging on ELB balances AWS’s share of responsibility in ensuring the safety and reliability of enterprise cloud systems, and allows IT teams to effectively monitor and enforce corporate and regulatory compliance policies.
- The check violates the following HIPAA rules:
- 164.312(b)
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)
- Ensuring S3 bucket policies do not exclude all but root users is crucial to maintain smooth operations. If only the root user is allowed access, routine tasks and maintenance would need root level privileges, which can be inefficient and unnecessarily risky.
- This policy can help to lower the risk of data breaches. If an aws_s3_bucket or aws_s3_bucket_policy is accidentally locked to all but the root user, it could possibly enable unauthorized access to confidential data, given the overarching permissions of the root user.
- The policy aids in preventing loss of access to critical AWS resources. If all other users are locked out, it might require root account intervention which can be time-consuming and may lead to downtime, which could hamper business operations.
- Compliance adherence is another significant aspect of this policy. By restricting lockout scenarios to root user only, the policy helps in adherence to specific regulatory requirements and compliance standards related to minimum privileges and access control measures.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(c)(1)
- 164.312(c)(2)
- 164.314(b)(2)(i)
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
- Enabling encryption in transit for EFS volumes in ECS Task definitions ensures the confidentiality and integrity of data as it is passed over networks between the ECS Tasks and EFS file systems. This is particularly relevant when dealing with sensitive information that could be intercepted or corrupted during transmission.
- By applying this policy, any unauthorized modification to the data during transmission will be detected. It prevents ‘man-in-the-middle’ attacks where an intruder intercepts the communication between two points and alters the information.
- ECS Task definitions without encrypting EFS volumes could potentially violate compliance regulations. Enforcing this policy keeps operations within AWS and global security standards, preventing legal ramifications and reputation damage due to non-compliance.
- Additionally, a direct impact of not having this policy could result in increased vulnerability to security breaches, leading to potential financial loss, disruption to operations, and data leaks, which can have severe consequences for businesses.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure Redshift uses SSL
Ensure Redshift uses SSL
- Using SSL with Amazon Redshift ensures that data in motion is encrypted during transmission, providing an important layer of security for data that may contain sensitive information.
- Implementing this policy helps to avoid man-in-the-middle attacks, in which unauthorized individuals can intercept and potentially manipulate data as it travels between the Redshift cluster and your applications.
- The policy also confirms the identity of the Redshift cluster to your applications, protecting your data infrastructure from spoofing attacks and unauthorized access attempts.
- Non-compliance with this security policy could lead to violating several regulatory compliance requirements such as GDPR and HIPAA, potentially resulting to legal ramifications and reputation damage.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure EBS default encryption is enabled
Ensure EBS default encryption is enabled
- Enabling EBS default encryption ensures that all new EBS volumes and snapshot data are automatically encrypted, reducing the risk of data leakage or unauthorized access.
- This policy helps in compliance with regulatory standards and frameworks that require encryption of data at rest such as HIPAA, GDPR, and PCI DSS, such mitigating potential legal and financial implications.
- It significantly simplifies the management and enforcement of data encryption, as administrators do not have to encrypt each and every volume or snapshot manually.
- By enabling encryption by default, this policy enhances data protection in multi-tenant storage environments, reducing the potential exposure of sensitive data in the event of shared resource scenarios.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure IAM policies does not allow credentials exposure
Ensure IAM policies does not allow credentials exposure
- This policy prevents unauthorized access and potential misuse of AWS resources by ensuring that IAM policies do not expose sensitive credentials. Exposure of such sensitive credentials can lead to breach of critical data and compromise the integrity of the system.
- Adhering to this policy reduces the risk of credential theft, as it minimizes the chances of password and secret keys being targeted by attackers. This protects the system from unauthorized activities such as data alteration, data deletion or disrupting the services.
- This policy ensures the principle of least privilege is maintained in the IAM policies by not exposing any unnecessary credentials, hence, minimizing the potential attack surface to malicious entities.
- Non-compliance to this policy can result in the failure of regulatory requirements, as many standards and laws mandate strict control over access to sensitive information. Implementing this policy aids in compliance with such regulations, minimizing the risk of hefty fines and potential reputational damage.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
Ensure that EMR clusters with Kerberos have Kerberos Realm set
Ensure that EMR clusters with Kerberos have Kerberos Realm set
- Ensuring that EMR clusters with Kerberos have Kerberos Realm set helps prevent unauthorized access into the EMR clusters. The Kerberos Realm is vital in security because it identifies and authenticates users in the network domain before providing them access.
- This policy ensures the correct configuration and implementation of security controls in AWS EMR clusters. Misconfigurations are a common cause of security vulnerabilities and can lead to potential breaches when not addressed properly.
- Enforcing this policy can help organizations adhere to best practices for AWS resource management and data protection. Adhering to such practices reduces the risk from both external threats and internal errors.
- This policy, when implemented through Terraform IaC, can lead to better compliance and auditability, as the configuration is managed as code and changes can be easily tracked and reverted if necessary. This improves overall governance and risk management processes.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
Ensure that enhanced monitoring is enabled for Amazon RDS instances
Ensure that enhanced monitoring is enabled for Amazon RDS instances
-
Enabling enhanced monitoring on Amazon RDS instances provides detailed metrics about your RDS instances’ CPU, memory, file system, and disk I/O operations. These insights are crucial for capacity planning, performance troubleshooting, and identifying anomalies in instance behavior.
-
Enhanced monitoring covers several system processes that run at an operating system level, allowing for a more comprehensive insight into the health of your database infrastructure. This granularity can assist in quicker and more accurate root cause analysis during a security event or service disruption.
-
Failure to enable enhanced monitoring could lead to a significant delay in identifying and addressing performance issues or potential security threats, resulting in prolonged system downtime, compromised application performance, and potential data breaches or losses.
-
Enhanced monitoring generates logs and metrics crucial for meeting certain compliance standards, particularly those related to data security and availability. Not enabling it could lead to violations of these standards and potential legal and financial repercussions.
-
The check violates the following HIPAA rules:
- 164.312(b)
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance
- Disabling direct internet access for an Amazon SageMaker Notebook Instance enhances security by minimizing the potential attack surface for malicious threats like malware or hackers that can penetrate through the public network.
- For the AWS SageMaker notebook instance, sensitive data, such as algorithms and models, could be present. Disabling direct internet access prevents unauthorized data exfiltration, ensuring the confidentiality and integrity of the information.
- The policy also ensures compliance with best practices for data protection and IT security. It reduces the risks of non-compliance with standards and regulations such as GDPR, HIPAA, and others that may lead to severe penalties.
- Utilizing infrastructure as code (IaC) tool like Terraform for implementing this security policy not only provides consistency and scalability but also automates the enforcement of this rule across multiple notebook instances, enhancing the overall posture of cloud security.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure VPC subnets do not assign public IP by default
Ensure VPC subnets do not assign public IP by default
- Implementing this policy helps in reducing overall attack surface, as limiting the assignment of public IP addresses to VPC subnets by default reduces the number of potential targets that malicious actors can exploit.
- It ensures an additional layer of security by controlling and monitoring the entities in the network that communicate with public networks, thereby limiting potential unauthorized access and data breaches.
- Enforcing this policy results in network traffic to flow through designated points, creating an opportunity for centralized inspection, logging, auditing, and possible intrusion detection, which further strengthens the security posture.
- This policy could also lead to cost savings as unnecessary assignment of public IPs could lead to unwanted egress data transfer charges. It promotes a financially efficient use of resources while maintaining optimal security.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure that RDS instances has backup policy
Ensure that RDS instances has backup policy
- Enabling a backup policy for AWS RDS instances is crucial to prevent data loss in case of any catastrophic system failures, human error, or accidental deletion of data. The policy ensures that regular automated backups of the database are created and stored.
- Having backup policy ensures High Availability (HA) and Disaster Recovery (DR) of RDS instances. This is especially important for mission-critical workloads that require continuous database operations and minimal data loss.
- The policy supports compliance requirements, as many regulations demand that data be backed up, replicated, and recoverable in a specific period of time. Failure to meet these conditions may lead to penalties and damaged reputation.
- It allows a more seamless recovery process in case of a database corruption or crash, minimizing downtime, and reducing the efforts taken for manual backup and recovery procedures, thus maintaining business continuity.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
- This policy helps in maintaining data integrity and ensures the resiliency of Amazon ElastiCache Redis clusters by enabling automatic backups. This combats the risk of data loss due to any unforeseen issues or system failures.
- Implementing this policy allows for efficient disaster recovery. In the event of a failure or issue, services can be quickly restored using the automatically created backups, thus minimizing downtime and any subsequent loss of revenue.
- The procedure of enabling automatic backup also assists in auditing and compliance. Many regulations require that data, including that in cache clusters, be recoverable in the event of loss. With automatic backups turned on, businesses can demonstrate compliance easily.
- Enforcing this policy aids in the mitigation of human error. Manual backup processes are prone to mistakes or oversights. Automation of backups removes this risk, improving data management reliability.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure that Elasticsearch is configured inside a VPC
Ensure that Elasticsearch is configured inside a VPC
- Ensuring Elasticsearch is configured inside a Virtual Private Cloud (VPC) improves security by providing a private, isolated section of the AWS Cloud where resources are launched in a defined virtual network. This limits exposure to potential malicious activities by minimizing the attack surface.
- Placement of Elasticsearch within a VPC ensures that network traffic between your users and the search instances remain within the Amazon network, thereby reducing the possibility of data leakage or exposure during transmission.
- Utilizing VPCs also enables enforcement of security policies through control over inbound and outbound network traffic. It provides administrators the power to define fine-grained access controls on their Elasticsearch service.
- A violation of this policy could lead to unauthorized access to your Elasticsearch data, resulting in potential data theft, corruption, or deletion. It could also lead to excessive data charges due to transfer of data to and from the service across VPC boundaries.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.314(b)(2)(i)
Ensure that ELB is cross-zone-load-balancing enabled
Ensure that ELB is cross-zone-load-balancing enabled
- Enabling Cross-Zone Load Balancing on Elastic Load Balancers (ELB) ensures equal distribution of traffic across all registered instances in all enabled Availability Zones, improving the efficiency and reliability of your application.
- When ELB is not cross-zone-load-balancing enabled, all the traffic will be sent to only one Availability Zone leading to resource exhaustion in that zone hence causing application downtime.
- This policy helps to maintain high availability and fault tolerance of the applications even if one of the Availability Zones goes down, by efficiently routing traffic to instances in the remaining running zones.
- With the Infrastructure as Code tool, Terraform, the policy ensures that ELB configurations are consistent and repeatable across multiple environments providing a standard and secure infrastructure setup.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(C)
- 164.314(b)(2)(i)
Ensure that RDS clusters have deletion protection enabled
Ensure that RDS clusters have deletion protection enabled
- Enabling deletion protection on RDS clusters prevents accidental deletion of critical data, ensuring the continuity of business operations and reducing potential downtime due to data loss.
- This policy ensures that organizational standards for data protection and disaster recovery are adhered to, which can be particularly important for compliance with regulations like GDPR and HIPAA.
- By using Infrastructure as Code (IaC) with Terraform to enforce this policy, organizations can automate and standardize protection settings across all RDS clusters, reducing the likelihood of human error.
- Disabling deletion protection can expose the system to potential risks such as data tampering and cyber attacks; therefore, adhering to the policy aids in maintaining the integrity and security of the system.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(C)
- 164.314(b)(2)(i)
Ensure that RDS global clusters are encrypted
Ensure that RDS global clusters are encrypted
- This policy is important to protect sensitive data stored in the RDS global clusters and to prevent unauthorized access. Encryption aids in maintaining data confidentiality and integrity by converting the original data into an unrecognizable format until it is decrypted.
- By encrypting RDS global clusters, the policy ensures compliance with the data privacy regulations like GDPR, HIPAA, which mandate the use of encryption for sensitive data. Failure to comply can lead to heavy fines and legal penalties.
- Complying with this policy provides an additional layer of defense in the event of a security breach. Even if an attacker gains access to the database, the encrypted data remains unusable unless the attacker also has the corresponding decryption key.
- The policy potentially improves customer trust and the organization’s reputation, as it demonstrates a commitment to maintaining robust security practices. A business operating with encrypted RDS global clusters is less likely to suffer devastating breaches of sensitive data.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensured that Redshift cluster allowing version upgrade by default
Ensured that Redshift cluster allowing version upgrade by default
- This policy ensures that Redshift clusters are always running on the latest and most secure version, reducing the risk of vulnerabilities and breaches in outdated versions.
- Regular version upgrades facilitated by this policy provide users with the latest features, bug fixes, and performance improvements, enhancing the overall utility and efficiency of Redshift clusters.
- Disruptions in service are minimized as Redshift clusters handle version upgrades automatically and seamlessly without significant downtime, ensuring uninterrupted data services.
- The policy aids in compliance with various information security governance frameworks that require systems to be running on the latest software versions, reducing the risk of non-compliance penalties or sanctions.
- The check violates the following HIPAA rules:
- 164.308(a)(5)(ii)(A)
- 164.308(a)(7)(ii)(A)
Ensure that S3 bucket has lock configuration enabled by default
Ensure that S3 bucket has lock configuration enabled by default
- Enabling lock configuration on the S3 bucket increases data protection by preventing accidental or intentional deletions or overwriting of objects stored in the bucket.
- The lock configuration feature allows administrators to access versioning, making it possible to recover previous versions of an object, heightening the data resiliency strategy and minimizing potential data loss.
- This security measure is important for ensuring compliance with data retention policies and regulations, such as the General Data Protection Regulation (GDPR), as it provides an extra layer of data protection and integrity.
- If object locking is not enabled, the critical data in the S3 bucket could potentially be compromised, leading to significant business disruptions or regulatory non-compliance penalties.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(c)(1)
- 164.312(c)(2)
- 164.314(b)(2)(i)
Ensure that S3 bucket has cross-region replication enabled
Ensure that S3 bucket has cross-region replication enabled
- This policy ensures data redundancy and high availability. If the primary data location fails or is compromised, the replicated data in another region serves as a backup, minimizing potential data loss and downtime.
- It is essential for compliance with regulations concerning disaster recovery planning, which require businesses to have a plan for resuming operations after disruptive events. Enabling cross-region replication for S3 buckets helps fulfill these compliance requirements.
- The policy promotes geographical expansion and flexibility. With replication across regions, you can serve or process data closer to where it is needed, improving data transfer speeds and reducing latency.
- It protects from region-specific issues. If one AWS region encounters problems or suffers a major outage, the data replicated to other regions continues to be available, thereby mitigating regional risks.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure that S3 buckets are encrypted with KMS by default
Ensure that S3 buckets are encrypted with KMS by default
- This policy promotes the security of sensitive data by ensuring that all data stored in AWS S3 buckets are encrypted using AWS Key Management Service (KMS). This safeguards stored information from unauthorized access or potential data breaches.
- The implementation of this policy significantly reduces the risk of data theft or exposure. If the S3 bucket was to be compromised, the encrypted data would be useless without the correct KMS keys, providing an additional layer of security on top of regular access controls.
- An unencrypted S3 bucket is susceptible to data leakage, which can result in severe financial penalties, irreparable damage to the organization’s reputation, and non-compliance with data protection regulations.
- Complying with this policy encourages adherence to best practices in cloud security and helps organizations meet regulatory compliance requirements like GDPR, HIPAA, or CCPA, where data encryption is often mandatory.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(a)(2)(iv)
- 164.312(c)(2)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
- 164.314(b)(2)(i)
Ensure that RDS database cluster snapshot is encrypted
Ensure that RDS database cluster snapshot is encrypted
- This policy ensures that backups of the RDS database cluster, encapsulated in snapshots, are encrypted, protecting sensitive data from unauthorized access or potential cyber threats.
- By encrypting RDS database cluster snapshots, even if the backups are somehow leaked or stolen, the data within remains concealed and inaccessible without the correct encryption key, preserving the integrity and confidentiality of the content.
- Compliance with this policy makes your infrastructure follow best practices for security in cloud environments, which can appeal to various regulatory standards such as GDPR, HIPAA, or PCI-DSS, enhancing the organization’s reputation and trustworthiness.
- Using Infrastructure as Code (IaC) tool like Terraform to ensure encryption of RDS cluster snapshots provides consistency and scalability as security policies can be applied across multiple instances and automated, reducing the margin for human error.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure that Secrets Manager secret is encrypted using KMS CMK
Ensure that Secrets Manager secret is encrypted using KMS CMK
- Ensuring Secrets Manager secret is encrypted using KMS CMK protects sensitive data. It adds an extra layer of security by encrypting the secret, making it unreadable to unauthorized users.
- This policy aids in regulatory compliance as certain regulations and standards require encryption of sensitive data at rest. Without adhering to this policy, organizations could face fines or penalties.
- Utilizing AWS Key Management Service gives organizations full control over their encryption keys, enabling them to manage who can access and decrypt their Secrets Manager secrets.
- The policy reduces the risk fallout from potential data breaches. Even if an attacker gains access to the system or data backup, they would not be able to derive meaningful data without the encryption keys.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
- The policy ensures improved application availability by ensuring requests are served by backend instances, even if they are not in the same availability zone as the load balancer. This increases reliability and prevents service disruptions due to single zone outages.
- Enabling cross-zone load balancing optimizes resource utilization by automatically distributing incoming traffic across all registered instances in all enabled availability zones, increasing the efficiency of your network infrastructure.
- Implementing this policy mitigates the risk of overloading one zone and underutilizing others, helping to prevent performance inconsistencies that could lead to poor customer experience or timeouts.
- In a scenario where new instances are added or unhealthy instances are removed, this policy ensures that the load balancer continually reevaluates the availability of registered instances across zones and redistributes traffic for seamless operation, paving the way for efficient scaling.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(C)
- 164.314(b)(2)(i)
Ensure that Workspace user volumes are encrypted
Ensure that Workspace user volumes are encrypted
- Encrypting user volumes prevents unauthorized access to data stored on these volumes. This is particularly important for sensitive data such as personally identifiable information (PII) or financial data.
- If user volumes are not encrypted, they could be targeted during a cyber attack, potentially leading to data breaches.
- An encrypted user volume helps improve regulatory compliance, since many regulatory standards require sensitive data to be encrypted both at rest and in transit.
- Utilizing this policy within the Cloudformation IaC model allows an automated, rinse-and-repeat process for encryption, reducing manual errors and the overhead associated with encrypting each user volume individually.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure that Workspace root volumes are encrypted
Ensure that Workspace root volumes are encrypted
- Encrypting Workspace root volumes is crucial to protect sensitive data stored on those volumes. If the volumes are unencrypted, anyone with access can read and manipulate the data, leading to security risks like data breaches and non-compliance issues.
- Encrypted root volumes increase the security of data at rest by converting it into encrypted form. This is significant in scenarios where physical security controls fail, and an unsanctioned user manages to gain physical access to a disk.
- This policy ensures compliance with regulatory standards like HIPAA, GDPR or PCI-DSS which mandate that stored data must be encrypted, thus preventing potential fines for non-compliance.
- Utilising AWS::WorkSpaces::Workspace and aws_workspaces_workspace in CloudFormation templates with this policy enforces uniformity in security controls across resources, reducing configuration oversight and streamlining compliance auditing processes.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure that RDS instances have Multi-AZ enabled
Ensure that RDS instances have Multi-AZ enabled
- Enabling Multi-AZ in RDS instances ensures high availability and failover support for DB instances, making this policy crucial for maintaining uninterrupted services, even if one datacenter experiences an issue.
- This policy helps in automatic data replication in a standby instance in a different Availability Zone (AZ), enabling swift disaster recovery and minimizing the risk of data loss in event of a single AZ outage.
- Compliance with this policy can improve the overall performance of your database by permitting read traffic from your applications to be served from multiple replicated databases in different AZs.
- The policy, if not applied, could lead to massive business disruptions and potential revenue loss in situations of unplanned downtime or data loss due to natural disasters, system failures, or other unforeseen issues.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(C)
- 164.314(b)(2)(i)
Ensure DynamoDB global table point in time recovery (backup) is enabled
Ensure DynamoDB global table point in time recovery (backup) is enabled
- Enabling DynamoDB global table point in time recovery ensures the continuous backup of all data in the global table. It allows customers to restore table data from a specified point in time within the last 35 days, providing better data loss recoverability when there are accidental writes or deletes.
- Enforcing this policy reduces the operational burden of creating backups manually which can be prone to errors or omissions. It assures that the backup process runs automatically and consistently, thanks to the Infrastructure as Code (IaC) tool, CloudFormation.
- Turning on the point in time recovery option prevents data loss due to unplanned events like instrument failures, data breaches, or system crashes, hence ensuring the availability and integrity of data stored in the global table.
- This policy also supports regulatory compliance requirements that mandate regular backup of essential data, helps in meeting disaster recovery objectives, and instills confidence in customers about the safety of their data.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure Logging is enabled for WAF Web Access Control Lists
Ensure Logging is enabled for WAF Web Access Control Lists
- Enabling logging for WAF Web Access Control Lists allows for comprehensive monitoring and analysis of traffic routed through the WAF, thus providing visibility into potential security threats and aiding in rapid detection and response.
- This policy ensures compliance with security best practices and regulatory standards which often demand detailed logging of accesses and activities for audit purposes, aiding organizations in avoiding penalties and preserving trust with customers and partners.
- Detailed logs from WAF Web Access Control Lists can feed into security information and event management (SIEM) systems to enable automated response to threats, thereby strengthening the security posture of AWS resources and enhancing the resilience of applications.
- When logging is enabled for WAF Web Access Control Lists, it can help identify patterns, trends and anomalies within the traffic data over time, which can be invaluable for troubleshooting and optimizing web applications’ performance, leading to an improved user experience.
- The check violates the following HIPAA rules:
- 164.312(b)
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
- This policy ensures an extra layer of security on data stored in S3 buckets since it requires encryption using Key Management Service (KMS) with a Customer Master Key (CMK). This encryption makes it very hard for unauthorized persons to read the data.
- Enforcing this policy would help an organization meet compliance standards related to data protection, such as GDPR or HIPAA, that often mandate strong encryption methods like KMS for stored data.
- Since this policy specifies the use of a Customer Managed Key (CMK), it gives the user better control over their encryption keys, allowing them to establish and maintain the lifecycle, rotation, and use of the key.
- A breach of the S3 bucket content would be less impactful when this policy is enforced, as encrypted files will be near impossible to decrypt without access to the associated CMK, thereby keeping sensitive data secure.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure ELB Policy uses only secure protocols
Ensure ELB Policy uses only secure protocols
- This policy ensures that Elastic Load Balancing (ELB) only uses secure protocols, fortifying the defense of data transmitted between the client and the load balancer, reducing the risk of data breach.
- With secure protocols, it guards against attacks like surveillance, data modification, and spoofing by lowering the chance of unencrypted or weakly encrypted data being intercepted or tampered.
- Using insecure protocols can lead to non-compliance with data protection regulations like GDPR or HIPAA, resulting in severe legal and financial consequences. This policy helps in maintaining compliance with such regulations.
- Implementing this policy via Infrastructure as Code (IaC) approach using Terraform allows for scalable, repeatable, and efficient security configuration across various AWS load balancer policies, enhancing the overall security posture.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(iv)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure that CloudSearch is using https
Ensure that CloudSearch is using https
- This policy ensures that all data transferred between AWS CloudSearch and the users is encrypted during transit using the HTTPS protocol. This is crucial in preventing unwanted exposures and potential data breaches.
- Implementing this policy aids in establishing secure, trusted connections, particularly for sensitive information, which is a critical requirement in various compliance standards such as GDPR, HIPAA, and PCI DSS.
- It prevents man-in-the-middle attacks, which can occur when http is used instead of https. Https offers security measures to verify that the user is communicating with the intended AWS CloudSearch server and not with an attacker impersonating it.
- This policy also shows the commitment of the organization to prioritize security, thereby instilling a sense of trust in the users utilizing the service or in stakeholders observing the security posture of the business.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(iv)
- 164.312(c)(1)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure Create before destroy for ACM certificates
Ensure Create before destroy for ACM certificates
-
Ensuring ‘Create before destroy’ for ACM (AWS Certificate Manager) certificates is important as it helps minimize service downtime during updates. If a certificate is destroyed before a new one is created, any services relying on that certificate may become unavailable or insecure.
-
Following this policy proactively safeguards against potential disruptions and helps maintain the continuity and integrity of services that depend on ACM certificates.
-
This more orderly management of certificates introduces an additional layer of security, as it prevents any possible instances where services might accidentally run on invalid or expired certificates during the transition phase.
-
As for Terraform’s infrastructure as code approach, having this policy in place promotes enhanced version control and a robust disaster recovery strategy, making reverting to a previous state simpler and more predictable.
-
The check violates the following HIPAA rules:
- 164.314(b)(2)(i)
Verify logging preference for ACM certificates
Verify logging preference for ACM certificates
- The policy necessitates verification of logging preference for ACM certificates, enhancing the security control over the SSL/TLS certificates. Keeping a log of the certificates helps to track its usage and guard against unauthorized access or alterations to the certificates.
- Since the infrastructure is managed using Infrastructure as Code (IaC) tool Terraform, the policy ensures consistent logging settings across all aws_acm_certificate resources, which promotes a uniform security standard and mitigates potential configuration errors.
- Observing this policy helps in maintaining a comprehensive record of all certificate-related actions, facilitating the detection of suspicious activities or breaches. In the event of a cyber attack, these logs can provide critical clues for forensic analysis and incident response.
- Failure to comply with the policy could lead to the ACM certificate’s misuse or compromise without detection due to lack of monitoring. This could expose the system to risks such as Man-in-the-Middle (MITM) attacks, which may lead to data theft, system interruption, or other critical security incidents.
- The check violates the following HIPAA rules:
- 164.314(b)(2)(i)
Ensure that GuardDuty detector is enabled
Ensure that GuardDuty detector is enabled
- Enabling GuardDuty detector significantly improves the visibility of your AWS environment by continuously monitoring for malicious or unauthorized activity. It helps in proactively identifying threats before they can cause harm, thus enhancing the overall security of your infrastructure.
- Maintaining the GuardDuty detector as an enabled configuration within your Terraform script ensures that the security setting is automatically applied during the provisioning and updating of your AWS resources. This prevents manual errors or oversights that can occur when configuring settings individually.
- The script adds an additional layer of security to your current AWS environment by automatically analyzing and processing potential threat data such as VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. This can help catch vulnerabilities or attacks not detected by other security measures.
- By enforcing this policy, you ensure that newly deployed or existing resources are always under the coverage of GuardDuty, minimizing the risk of undetected threats or vulnerabilities. This is critical in avoiding security breaches and maintaining compliance with various cybersecurity norms and standards.
- The check violates the following HIPAA rules:
- 164.308(a)(5)(ii)(C)
- 164.308(a)(6)(ii)
- 164.308(a)(8)
- 164.312(b)
Ensure Kinesis Firehose delivery stream is encrypted
Ensure Kinesis Firehose delivery stream is encrypted
- This policy ensures that data being streamed through the Kinesis Firehose delivery stream is encrypted, enhancing the confidentiality and integrity of the data being transmitted.
- Enabling encryption on Kinesis Firehose Delivery Stream provides an additional layer of security and prevents unauthorized access to sensitive information, thereby complying with data protection regulations and standards.
- Non-compliance with this policy could result in potential data breaches, legal consequences, brand reputation damage, and losing customer trust if sensitive data is left unprotected in the stream.
- The policy is implemented using Infrastructure as Code (IaC) tool, Terraform which allows automated and consistent deployment of such security controls across the infrastructure. This greatly reduces the chances of manual error and oversight in security implementation.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions
-
This policy helps maintain the principle of least privilege by ensuring that the execution role, which the Amazon ECS service uses to make AWS API calls on your behalf, and the task role, which determines what other AWS service resources the task can interact with, are not conflated. This minimization of permissions effectively reduces the scope and impact of potential security breaches.
-
It enhances the security by limiting the blast radius in case of a compromise. If a malicious user gains access to one role, they still do not gain the privileges of the other role. For instance, being able to execute the tasks doesn’t give them access to the AWS resources and vice versa.
-
Keeping the Execution Role ARN and the Task Role ARN separate in ECS Task definitions allows for better auditing and control of resources. The activities of each role can be logged and tracked independently, resulting in cleaner logs and easier detection of any anomalies.
-
It enables granular control over infrastructure resources. A careful separation of permissions associated with each role offers the ability to place exact controls on the scope of activities that can be performed by both roles. It helps in managing infrastructure as code (IaC) resources like aws_ecs_task_definition more effectively in Terraform.
-
The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)
Ensure CloudTrail logging is enabled
Ensure CloudTrail logging is enabled
- Enabling CloudTrail logging is crucial for auditing and monitoring activities in your AWS environment. It records and retains event log files of all API activity, which is essential in detecting suspicious activity or identifying operational issues.
- This policy helps in ensuring compliance with numerous cybersecurity standards and audits. CloudTrail logging can be utilised as evidence for demonstrating compliance with internal policies or external regulations by providing a history of actions, changes, and events.
- Implementing this policy means that even in the case of a security incident, having enabled CloudTrail logging offers the ability to conduct thorough forensic analysis. It allows the security team to trace back the actions of an attacker or determine the cause of an incident.
- Without enforcing this policy, organisations are exposed to an increased risk of undetected security breaches. Unidentified malicious activities or unauthorized changes in infrastructure could lead to data leaks, service disruptions, or additional costs due to the misuse of resources.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.312(b)
Ensure that AWS Lambda function is not publicly accessible
Ensure that AWS Lambda function is not publicly accessible
- Ensuring AWS Lambda functions are not publicly accessible helps prevent unauthorized access to resources and data, strengthening the overall security of the cloud infrastructure.
- Blocking public access to Lambda functions minimizes the risk of potential DDoS attacks and other security threats that could degrade or disrupt the operation of the function and related services.
- Limiting Lambda function access to only known and trusted sources allows for better control and monitoring of requests, potentially improving debugging and accountability for actions performed in AWS.
- Compliance with this policy helps organizations adhere to best practices for data privacy and protection, potentially aiding in regulatory compliance for industries like healthcare or finance that have strict data handling requirements.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure DB Snapshots are not Public
Ensure DB Snapshots are not Public
- Ensuring DB snapshots are not public is essential for preventing unauthorized access to your sensitive data. When snapshot settings are set to public, anyone can view and potentially manipulate your snapshot content.
- Leaving DB snapshots public can result in data breaches and loss of critical information. Attackers can target public snapshots to discover weak areas in your security infrastructure, exploit it, access data, or disrupt services.
- Following this policy ensures compliance with data protection laws and industry regulations that require certain types of data to be stored privately. Non-compliance might result in legal penalties or damage to the organization’s reputation.
- The policy enables the use of the Infrastructure as Code (IaC) security best practice. Using IaC tool like Terraform to automate the security settings of AWS DB snapshots reduces human error and guarantees that the snapshots are not accidentally left public.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(e)(1)
- 164.312(e)(1)
Ensure SSM documents are not Public
Ensure SSM documents are not Public
- This policy ensures that Systems Manager (SSM) documents, which often contain sensitive data such as system configurations and operational scripts, are not public and can only be accessed by authorized users or services, thereby enhancing the security of AWS resources.
- By ensuring SSM documents are private, it prevents unauthorized access or potential malicious activities such as changes to configurations, script injections, or data exfiltration that could occur if the documents were public.
- Enforcing this policy mitigates the risk of exposure of sensitive information that could lead to security breaches, compliance violations, and potential financial and reputational damage to entities.
- Using Infrastructure as Code (IaC) automation with Terraform, the policy makes it easier to manage, enforce, and maintain secure configurations across multiple resources, thereby ensuring consistency and reducing the possibility of human error.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure Secrets Manager secrets should be rotated within 90 days
Ensure Secrets Manager secrets should be rotated within 90 days
- Regular rotation of secrets within 90 days in AWS Secrets Manager increases overall security, reducing the risk of a cybercriminal gaining unauthorized access to sensitive data if a secret or password is compromised.
- Enforcing this policy ensures that potential breaches can be contained within a limited timeframe, minimizing the damage caused by potentially leaked secrets.
- By managing this automation through Terraform, organizations can ensure consistent implementation across all systems and services, reducing the risk of human error and ensuring compliance with security best practices.
- Non-compliance with this policy can lead to outdated secrets being easily cracked or guessed, increasing vulnerability to attacks and possibly causing damage to brand reputation, regulatory fines, and loss of customer trust.
- The check violates the following HIPAA rules:
- 164.308(a)(4)(ii)(B)
Ensure Elasticsearch Domain Audit Logging is enabled
Ensure Elasticsearch Domain Audit Logging is enabled
- Enabling Elasticsearch Domain Audit Logging is crucial for tracking, analyzing and alerting on user activities and API usage. This ensures visibility and traceability, enabling admin to identify unexpected or unauthorized activities and react promptly.
- The policy indirectly helps with regulatory compliance since many regulations and standards require the logging of accesses and changes to data. By providing a comprehensive audit trail, Elasticsearch Domain Audit Logs help meet such requirements.
- The policy can play a significant role in cybersecurity analytics, as Elasticsearch domain logs can be used to identify patterns, anomalies or incidents, contributing to threat detection and prompting appropriate security response.
- If Elasticsearch Domain Audit Logging is not enabled, it could lead to a lack of visibility into domain usage and activities. This could in turn allow potential security threats or breaches to go undetected, compromising the integrity and security of the AWS infrastructure.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.312(b)
Ensure that CloudWatch alarm actions are enabled
Ensure that CloudWatch alarm actions are enabled
- Enabling CloudWatch alarm actions is critical for real-time monitoring and management of AWS services and applications, as it provides automated notifications about any operational issues or irregularities.
- Such policy ensures quick response to critical events by triggering automated actions, or sending alerts and notifications to the responsible stakeholders, helping maintain a steady operational flow and reducing downtime.
- The policy fosters proactive problem-solving by offering insights and trends into system activities, including error rates, CPU usage, latency, user patterns, and more, empowering the decision-making with data-driven material.
- Non-compliance with the policy may lead to unnoticed operational issues, thus leading to loss of critical data or increased costs due to inefficient resource utilization. This is why it’s crucial to enable CloudWatch alarm actions in the infrastructure as code (IaC) configurations like Terraform to prevent any such scenarios.
- The check violates the following HIPAA rules:
- 164.312(b)
Ensure that RDS Cluster log capture is enabled
Ensure that RDS Cluster log capture is enabled
- Enabling RDS Cluster log capture is crucial for monitoring and diagnosing the operation of both the RDS cluster and the apps running on them. Without the ability to capture logs, it would be challenging to identify and resolve issues that may arise.
- This policy enables effective auditing and compliance practices since it allows for detailed tracking and recording of all operations and transactions. This could be useful in case of any security incidents or breaches that require comprehensive audit trail.
- When log capture is enabled, security teams have better visibility into potentially suspicious activities on the RDS cluster. This could help identify patterns indicative of a security threat, such as repeated failed login attempts, thus facilitating early detection of security issues.
- Without this policy, organizations run the risk of missing critical data needed for debugging and security investigations. This could delay problem resolution or even lead to unnoticed security breaches, resulting in potential data loss, system downtime, and reputational damage.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.308(a)(5)(ii)(C)
- 164.312(b)
Ensure that RDS Cluster audit logging is enabled for MySQL engine
Ensure that RDS Cluster audit logging is enabled for MySQL engine
- Enabling RDS Cluster audit logging for MySQL engine allows administrators to record and monitor activities carried out within the database. This improves accountability by ensuring that all actions taken on the database can be traced back to specific users.
- The audit logs can be used as evidence to meet compliance requirements. Regulations such as PCI DSS, HIPAA, and GDPR require businesses to maintain detailed logs of all data access and modifications.
- This policy can help in identifying unauthorized activities and detecting security breaches early. When enabled, the audit logging can track actions like alterations on the database, changes in database configurations, or any kind of data exfiltration attempts, thereby providing valuable insights during a security incident investigation.
- Applying this policy through IaC-Terraform ensures that the setting is consistently applied across all RDS Clusters, reducing the risk of human error and enhancing the overall security posture of the infrastructure.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.308(a)(5)(ii)(C)
- 164.312(b)
Ensure ECS containers should run as non-privileged
Ensure ECS containers should run as non-privileged
- Running ECS containers as non-privileged reduces the potential for security breaches by limiting the capabilities and access rights of the containerized applications, ensuring they can’t perform sensitive operations or gain unauthorized access to valuable data.
- This policy is crucial in enforcing the principle of least privilege, which states that a user or an application must only have access to the resources and data it needs to perform its function, thereby minimizing the damage that could result from an accidental or malicious action.
- By restricting ECS containers to run only as non-privileged, the impact of a container compromise or any other security incident is confined to that particular container, preventing the attacker from escalating privileges and affecting other containers, applications, or the host.
- Violation of this policy could lead to a significant security risk, potentially exposing the system to attacks or data breaches, and non-compliance could also result in failing to meet industry standards and regulatory requirements such as GDPR, HIPAA, or PCI-DSS, resulting in monetary fines and reputational damage.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)
Ensure ECS task definitions should not share the host's process namespace
Ensure ECS task definitions should not share the host's process namespace
Ensure ECS containers are limited to read-only access to root filesystems
Ensure ECS containers are limited to read-only access to root filesystems
- This policy ensures that Amazon ECS containers only have read-only access to the root file system, greatly reducing the risk of unauthorized alterations to important system files. This helps to protect the integrity and consistency of data and system files.
- Restricting ECS containers to read-only access to root file systems helps to limit the potential damage if a container is compromised. An attacker gaining access to a container would not be able to modify system files, thus reducing their ability to harm systems or access sensitive data.
- AWS ECS tasks are stateless by design. Any data that an application writes to the underlying host system is deleted when that container is terminated or fails. This rule ensures data persistence by protecting the root file system from alterations.
- Non-compliance with this policy could lead to potential security vulnerabilities such as unauthorized access or modifications, data breaches, and system instability. Hence, implementing the policy is a proactive measure to enhance the security posture of an organization’s infrastructure.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)
Ensure Elastic Beanstalk managed platform updates are enabled
Ensure Elastic Beanstalk managed platform updates are enabled
- This policy ensures that Elastic Beanstalk managed platform updates are enabled, which means the environment automatically receives the latest patches, updates, and new features without manual intervention.
- Implementing this rule helps maintain the integrity and stability of the code running in the environment by always keeping it updated and patched against known coding vulnerabilities, thus reducing potential attack vectors.
- By using Infrastructure as Code (IaC) approach with Terraform, this policy automates the update process, significantly reducing the risk of human error during manual patching or feature update procedures.
- The particular policy targets ‘aws_elastic_beanstalk_environment’ resources, playing a key role in maintaining a reliable, secure, and high-performing environment for AWS Elastic Beanstalk applications.
- The check violates the following HIPAA rules:
- 164.308(a)(5)(ii)(A)
Ensure Amazon Redshift clusters should have automatic snapshots enabled
Ensure Amazon Redshift clusters should have automatic snapshots enabled
- Enabling automatic snapshots for Amazon Redshift clusters helps safeguard the data stored in these clusters by regularly creating backups. The loss or corruption of data could lead to significant operational and financial damages for the entity.
- Based on the policy, automatic snapshots can greatly help during disaster recovery situations. In case of a breach or system failure, the automatic snapshots can be used to restore the system to a point in time before the incident, reducing potential data loss.
- If Redshift clusters do not have automatic snapshots enabled, it can lead to non-compliance with various data protection and corporate governance requirements. This could result in penalties, legal repercussions, or loss of trust among customers and stakeholders.
- As the resource link suggests, using Infrastructure as Code (IaC) tools like Terraform can potentially automate enabling of snapshots and bring efficiency in operations, reducing manual intervention and errors. This helps maintain a consistent state of infra security management.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure IAM root user doesnt have Access keys
Ensure IAM root user doesnt have Access keys
- Ensuring the IAM root user doesn’t have access keys helps restrict super admin level permissions, preventing possible unauthorized and potentially destructive actions within the AWS environment.
- The policy aids in delegating permissions to specific IAM users who need them to perform certain tasks, thereby adhering to the principle of least privilege and enhancing overall security.
- Without access keys for the root user, there’s a reduces risk that they might be accidentally exposed or misused, helping to prevent incidences like unexpected charges or data breaches.
- This policy aids companies in aligning with AWS best practices, achieving regulatory compliance where certain standards mandate restricting root account privileges, and passing audits that verify secure cloud infrastructure.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(2)(i)
- 164.314(b)(2)(i)
Ensure that RDS instances have performance insights enabled
Ensure that RDS instances have performance insights enabled
- Enabling RDS instances with performance insights allows continuous monitoring of the database load, facilitating detection and resolution of performance issues faster. This ensures the availability and stability of business-critical applications that rely on these databases.
- By implementing this security policy, potential anomalies, and outliers which could signal attacks, breaches or performance issues are effectively identified and mitigated in a timely manner, reducing potential downtimes.
- The policy aids in optimizing the use of resources; analysis from the Performance Insights can guide decisions on scaling and allocation, influencing the efficiency, and cost-effectiveness of operations.
- Implementing this rule using Infrastructure as Code (IAC) tool like Terraform allows for automation, easily applying the policy across multiple instances and maintaining a consistent level of security and performance monitoring across the infrastructure.
- The check violates the following HIPAA rules:
- 164.312(b)
Ensure DocumentDB has an adequate backup retention period
Ensure DocumentDB has an adequate backup retention period
- Ensuring DocumentDB has an adequate backup retention period is critical to prevent data loss in case of accidental deletions or system failures. Without proper data backups, businesses risk losing valuable information that can impact operational efficiency, customer relations, and overall profitability.
- The policy impacts both cost and storage. Maintaining an appropriate backup retention period prevents unnecessary expenditures on excessive storage space. Conversely, too short a retention period can lead to higher costs if data restoration is required.
- Lowering the risk of non-compliance with data protection regulations is another vital impact of this policy. Various jurisdictions have laws mandating certain durations of data retention, failure to comply can result in hefty fines or legal sanctions.
- Finally, the policy impacts disaster recovery strategies and business continuity plans. In the event of a significant disruption such as a cyber-attack, an adequate DocumentDB backup retention period ensures that companies can recover essential data quickly and resume normal operations as soon as possible.
- The check violates the following HIPAA rules:
- 164.312(a)(2)(ii)
Ensure that only encrypted EBS volumes are attached to EC2 instances
Ensure that only encrypted EBS volumes are attached to EC2 instances
- Encrypting EBS volumes attached to EC2 instances helps to ensure the confidentiality and integrity of data at rest. This is crucial, as unencrypted data can be easily accessed if the underlying storage is compromised.
- Not encrypting EBS volumes may violate regulations such as GDPR, HIPAA, or PCI DSS, which require the protection of sensitive data. Non-compliance can result in severe fines and damage to the organisation’s reputation.
- Encrypting EBS volumes provides robust security measures such as cryptographic separation, which ensures no user can access raw disk blocks of another user’s EBS volume without knowing their encryption key, adding an extra layer of data protection.
- Connection of unencrypted EBS volumes to EC2 instances can lead to undesirable exposure of sensitive data, since EC2 instances often process and store critical information. Encrypting the EBS volumes reduces this risk by making any stolen or intercepted data unreadable without the decryption key.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(2)(ii)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)(i)
Ensure GuardDuty is enabled to specific org/region
Ensure GuardDuty is enabled to specific org/region
- Enabling GuardDuty in a specific organization or region allows the continuous monitoring and detection of potentially malicious or unauthorized behavior, such as unusual API calls or potentially unsecured account activity, enhancing the security posture of your AWS environment.
- As this policy is implemented through Infrastructure as Code (IaC) using Terraform, it ensures that the security configuration is maintained consistently across all environments, thereby reducing configuration errors and enhancing security.
- Enforcing this policy not only helps in identifying potential threats but also accelerates incident response by providing detailed and actionable security findings, facilitating the organization’s ability to mitigate risks.
- Having GuardDuty enabled as specified in the security policy helps in meeting compliance requirements for certain regulations and standards, that mandate continuous threat detection and response mechanisms, thereby aiding in maintaining regulatory compliance.
- The check violates the following HIPAA rules:
- 164.308(a)(5)(ii)(C)
- 164.308(a)(6)(ii)
- 164.308(a)(8)
- 164.312(b)
Ensure that S3 bucket has a Public Access block
Ensure that S3 bucket has a Public Access block
- This policy is critical because it ensures that Amazon S3 buckets are not unintentionally exposed to the public internet, hence reducing the risk of data breaches and unauthorized access to sensitive data.
- The policy helps to comply with industry best practices and standards regarding data privacy and security, thereby protecting the legal and reputational standing of the organization.
- Implementing this policy impacts resource management in Terraform by enforcing stricter access controls and ensuring data stored in S3 buckets is only accessible to authorized users or services under specified conditions.
- With the block on public access, it prevents the accidental modification of access control lists or bucket policies that could open up unrestricted access to the bucket, thereby maintaining the consistency of security configurations.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(a)(1)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.312(e)(1)
- 164.314(b)(1)
- 164.314(b)(1)
- 164.314(b)(2)
- 164.314(b)(2)
Ensure that RDS clusters has backup plan of AWS Backup
Ensure that RDS clusters has backup plan of AWS Backup
- Ensuring that RDS clusters have an AWS Backup plan allows for seamless recovery of data in the event of accidental deletion, system failure, or data corruption, which in turn, significantly reduces the impact of data loss incidents.
- A Backup plan ensures operational continuity as any disruption in the database service due to unforeseen issues would not cause an extended halt in the services, thereby maintaining the SLAs and keeping client trust intact.
- AWS Backup plan can automate the backup process, reducing human error, and freeing up resources that would otherwise be required for manual backups. This can lead to increased efficiency in resource allocation and cost savings.
- This policy enforces good data governance practices by ensuring regular and consistent backups. This is important for regulatory compliance, especially for organizations handling sensitive customer information or those operating in highly regulated industries.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure that EBS are added in the backup plans of AWS Backup
Ensure that EBS are added in the backup plans of AWS Backup
- Ensuring that Elastic Block Stores (EBS) are included in the backup plans of AWS Backup is essential for data recovery in case of accidental deletion, failures or any unforeseen disasters. This policy thus increases data resiliency and business continuity.
- Adding EBS volumes to AWS Backup greatly facilitates automated, centrally managed and policy-driven backups across AWS resources. This reduces administrative overhead and optimizes resource allocation.
- This policy ensures compliance in sensitive and regulated environments. Regularly backing up data is not just good practice, but often a stringent requirement in terms of regulatory and compliance rules.
- Exclusion of EBS volumes in the backup plan can lead to potential data loss, which can have serious financial, legal and reputational implications. By enforcing this policy, these risks are effectively mitigated.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
- 164.312(a)(2)(ii)
- 164.312(a)(2)(ii)
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail trails are integrated with CloudWatch Logs
- This policy ensures that all activity within your AWS CloudTrail is being recorded and monitored in CloudWatch Logs. This allows for comprehensive oversight of your infrastructure and can help improve troubleshooting, auditing, and investigative processes.
- The integration of CloudTrail with CloudWatch Logs enables real-time processing of log data. This results in faster detection and analysis of security incidents, operational problems, and other important information within your cloud environment.
- It offers storage and archival solutions. By integrating CloudTrail with CloudWatch, logs are stored and can be archived in a designated S3 bucket for later reference or in case of an audit, ensuring historical accountability of all changes and actions.
- It facilitates a proactive security measure due to CloudWatch’s capability of setting up alarms for unusual or unauthorized behavior. This can aid in minimizing damages caused by a security incident by addressing the issue as soon as it arises.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(ii)(A)
- 164.312(b)
- 164.312(c)(1)
- 164.312(c)(2)
Ensure VPC flow logging is enabled in all VPCs
Ensure VPC flow logging is enabled in all VPCs
- Enabling VPC flow logging in all VPCs provides visibility into the traffic entering and exiting the VPCs, which is essential for monitoring and troubleshooting potential network security issues.
- VPC flow logging is key in auditing and compliance as it records and stores metadata like source and destination IP addresses, packet and byte counts, and TCP flags, amongst others, confirming or refuting compliance with established network policies.
- Without VPC flow logging, real-time and historical analysis of the VPC’s network traffic, which can be crucial in incident response, is impossible, thereby increasing the risk of undetected malicious activities and data breaches.
- The VPCHasFlowLog.yaml Terraform check ensures that the logging is enabled by default and therefore alleviates the manual task of enabling it each time a new VPC is created, making it more difficult for mistakes or oversights to occur that could lead to security vulnerabilities.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.312(b)
Ensure the default security group of every VPC restricts all traffic
Ensure the default security group of every VPC restricts all traffic
- This policy aims to mitigate the risk of unauthorized access, data breaches, and potential attacks on your infrastructure by ensuring that the default security group of every Virtual Private Cloud (VPC) restricts all traffic unless explicitly allowed, making your environment more secure.
- The policy implements Infrastructure as Code (IaC) using Terraform, facilitating automated and version-controlled security configurations. This not only ensures consistency and reproducibility across multiple environments, reducing human errors, but also enables quick responses to configuration deviations.
- It specifically targets the aws_default_security_group and aws_vpc resources, making it highly relevant for organizations using AWS for cloud services. It ensures that your infrastructural entities are compliant with the best security practices in the industry and adhere to principles of least privilege access.
- By enforcing this policy, organizations not only bolster their defenses against malicious parties but also create a conducive environment for achieving compliances, such as GDPR or HIPAA, which often require stringent traffic control mechanisms. It also allows for easier auditability and accountability within the organization for better governance.
- The check violates the following HIPAA rules:
- 164.312(e)(1)
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.
-
Ensuring that auto Scaling groups are using Elastic Load Balancing health checks is crucial in maintaining consistent performance and availability of applications even when there are traffic spikes or failures in one or more instances. This policy guarantees the appropriate response in these situations for minimizing disruption and maintaining business continuity.
-
Elastic Load Balancing health checks helps in the early detection of issues in any instance within an auto Scaling group. The load balancer periodically sends requests to its registered instances to test their status, and based on the received responses, it can redirect traffic away from unhealthy instances thus preventing potential service disruptions.
-
By adhering to this policy, organizations ensure that instances under heavy load or faulty behavior are automatically replaced by the auto scaling feature, promoting seamless operation of their applications. This guarantees an automated, self-healing infrastructure without the need for manual intervention.
-
This policy also has a significant role in cost optimization. By using Elastic Load Balancing health checks, auto Scaling groups can efficiently scale out and in, based on the load. This ensures resources utilization is proportional to the demands, and that unnecessary costs due to over-provisioning are avoided.
-
The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(b)
Ensure that Auto Scaling is enabled on your DynamoDB tables
Ensure that Auto Scaling is enabled on your DynamoDB tables
- Enabling Auto Scaling on DynamoDB tables helps manage costs by automatically adjusting read and write capacity units to match the demand pattern, thus avoiding under-provisioning that could degrade performance or over-provisioning that could result in unnecessary cost.
- The policy is critical in maintaining application availability as DynamoDB Auto Scaling delivers better read and write traffic management, which ensures high throughput and low latency, automatically scaling down in periods of low demand.
- Auto Scaling reduces the complexity of capacity management for large scale applications. Without the policy, developers must manually manage the provisioned capacity for each table and potentially juggle multiple different tables, which could lead to human error.
- Implementing this policy with Infrastructure as Code (IaC) via Terraform, allows for more reliable and consistent scaling operations, as the code can be version controlled, tested and repeated across different environments. It provides an easy and error-free way to enforce the policy.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(C)
- 164.314(b)(2)(i)
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
- The policy ensures that critical data stored in Elastic File System is regularly backed up, mitigating risks associated with data loss during incidents of system failures, human errors, or cyber-attacks.
- Implementation of the policy facilitates easier recovery of lost or corrupted data, thereby minimizing potential business downtime and thus, maintaining business continuity.
- Regular backup as per this policy enables a smoother transition in migration processes, as it allows for the seamless retrieval and integration of data into new systems.
- The policy aids in compliance with various data protection regulations that require organizations to have a robust data backup and recovery plan in place.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
- 164.312(a)(2)(ii)
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
- Ensuring all Elastic IP (EIP) addresses allocated to a VPC are attached to EC2 instances helps to optimize resource utilization, as unused EIPs can result in unnecessary costs.
- This policy aids in reducing the surface area for potential security attacks. Unattached EIPs can be exploited by cyber criminals to gain unauthorized access or launch attacks.
- It ensures smooth network traffic flow and helps in avoiding the accidental misrouting of network traffic to unconnected resources, improving the overall networking performance.
- Implementing this policy can lead to improved management and transparency of infrastructure resources, reducing the likelihood of inconsistencies or misconfigurations that can potentially compromise the security or functionality of the VPC.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(3)(i)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.312(e)(1)
Ensure that ALB redirects HTTP requests into HTTPS ones
Ensure that ALB redirects HTTP requests into HTTPS ones
- This policy is crucial for boosting website security by forwarding all incoming unsecured HTTP requests to secured HTTPS, thereby mitigating the risk of intercepting and altering communications between users and web services.
- Using HTTPS ensures that any data transmitted between the user and the website is encrypted and, thus, safeguards sensitive user information from potential cyber threats like eavesdropping or MITM (Man in the Middle) attacks.
- A successful implementation of this policy assures compliance with industry standards and regulations regarding data protection, leading to enhanced trust and striking a good rapport with customers and stakeholders.
- It provides an automatic security update to the aws_alb and aws_lb_listener entities without requiring any manual changes in the configurations, making the process more efficient and less prone to human error.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.312(a)(2)(iv)
- 164.312(e)(1)
- 164.312(e)(2)(i)
- 164.312(e)(2)(ii)
- 164.314(b)(2)(i)
Ensure an IAM User does not have access to the console
Ensure an IAM User does not have access to the console
- This policy prevents unauthorized access to highly secure interfaces and reduces the risk of a data breach. By restricting access to the AWS Management console, only necessary entities have the ability to modify system configurations.
- IAM User access to the console can result in changes made outside of the Terraform configurations. This can lead to configuration drift where the actual system state does not match the described state, increasing complexity and causing potential vulnerabilities.
- Removal of direct console access enforces the principle of least privilege. Any action taken is linked to a specific function or service, and no user gets more access than they need, which in turn reduces the potential surface area for potential attacks.
- It increases auditability and traceability because actions are made through applications, scripts, or services that log every request. It improves understanding of user actions and establishes strong accountability by associating actions with a unique identity.
- The check violates the following HIPAA rules:
- 164.312(d)
Ensure public facing ALB are protected by WAF
Ensure public facing ALB are protected by WAF
- This policy is crucial in preventing unauthorized access to applications via the public-facing Application Load Balancer (ALB). By enforcing the use of a Web Application Firewall (WAF), it helps block harmful traffic or suspicious requests that could compromise the security of the application.
- The policy assists businesses in complying with various data security standards (like PCI DSS and HIPAA) that require WAF for public-facing web applications. Non-compliance may result in fines or penalties, or increased vulnerability to cyberattacks.
- Implementation of this policy through IaC (Infrastructure as Code) tools like Terraform enables consistent and repeatable protections across environments, reducing the likelihood of configuration errors that could leave an ALB unprotected.
- By reliably utilizing WAF in front of ALB, this policy also aids in protecting against common web-based attacks such as SQL Injection and Cross-Site Scripting (XSS), thus maintaining the integrity and availability of the application as well as protecting sensitive user data.
- The check violates the following HIPAA rules:
- 164.312(e)(1)
Ensure WAF2 has a Logging Configuration
Ensure WAF2 has a Logging Configuration
- By ensuring Web Application Firewall (WAF2) has a logging configuration, the policy enables the tracking of all incoming and outgoing traffic, providing detailed visibility and control over access and modifications. This assists in auditing and tracking suspicious behavior.
- Regular logs of WAF2 activity provide crucial data in real-time that can be used for identifying and understanding potential security incidents, breaches, or vulnerabilities in your resources.
- Compliance with regulatory measures and industry standards are often required for entities operating in specific industries. Having a logging configuration for WAF2 demonstrates an active measure to follow these norms and could prevent penalties for non-compliance.
- Implementing this policy helps save time and resources. In the event of a security event, instant access to detailed, well-structured logs can significantly reduce investigation and recovery time, offering detailed information on the incident.
- The check violates the following HIPAA rules:
- 164.312(b)
Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
- This policy is crucial as it ensures the high availability of the ElastiCache Redis cluster. By enabling the Multi-AZ Automatic Failover feature, services will continue running even if one or more cache nodes fail, thus minimizing disruption.
- The automatic failover feature is instrumental in safeguarding against single point of failure scenarios. In such events, AWS will automatically detect the failure, promote a read replica to be the new primary, and restore service operation with limited impact on performance.
- With the implementation of this policy, recovery time in case of failure is drastically reduced. AWS ElastiCache automatically handles the recovery process which could be a time-consuming and error-prone process if done manually.
- Ensuring this policy can help to minimize the potential loss of critical, high-speed cache data stored in ElastiCache Redis clusters. Keeping the Multi-AZ Automatic Failover feature always enabled helps organizations maintain business continuity even in the event of unexpected catastrophes.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
Ensure Secrets Manager secrets should have automatic rotation enabled
Ensure Secrets Manager secrets should have automatic rotation enabled
- Enabling automatic rotation in Secrets Manager minimizes the risk of sensitive data being compromised due to prolonged periods of exposure, improving the overall security stance of your AWS assets.
- Automatic secrets rotation ensures that credentials are frequently refreshed, which can prevent unauthorized access due to lost or stolen credentials as they will quickly become obsolete.
- The constant changing of credentials reduces the possibility of password cracking or other brute force attacks, providing an additional layer of security for your AWS services and applications.
- By having this policy in place, compliance with strict security regulations and standards can be ensured, which may require periodical rotation of sensitive information such as passwords and API keys.
- The check violates the following HIPAA rules:
- 164.308(a)(4)(ii)(B)
Ensure AWS Neptune cluster deletion protection is enabled
Ensure AWS Neptune cluster deletion protection is enabled
- Enabling AWS Neptune cluster deletion protection prevents accidental deletion of the database, ensuring that important and sensitive data is not lost due to inadvertent operations or automation scripts.
- This policy encourages strong infrastructure as code (IaC) practices. Using Terraform to automate enabling deletion protection on a Neptune cluster reduces manual effort and streamlines compliance across multiple resources.
- The safer administration of databases lowers the risk of data breaches and mishandling which can have major financial consequences and even damage the company’s reputation.
- Having a deletion protection enhances data longevity, enabling businesses to perform historical analysis and trends prediction over an extended period which leads to better data-driven decision-making and strategy development.
- The check violates the following HIPAA rules:
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(C)
- 164.314(b)(2)(i)
Ensure RDS instance with copy tags to snapshots is enabled
Ensure RDS instance with copy tags to snapshots is enabled
Ensure that an S3 bucket has a lifecycle configuration
Ensure that an S3 bucket has a lifecycle configuration
- Ensuring an S3 bucket has a lifecycle configuration is critical in managing objects efficiently and cost-effectively by automatically transitioning them to less expensive storage classes or archiving them over time.
- Without a lifecycle policy, old and rarely accessed data can accumulate, leading to higher storage costs. Hence, S3 bucket Lifecycle policies reduce costs by automatically moving data that is rarely accessed to less expensive storage classes.
- A lifecycle configuration also allows for automatic deletion of data that is no longer needed after a certain period, helping with data governance and compliance requirements.
- Unmanaged data in S3 buckets could potentially lead to security vulnerabilities or data breaches if the data is sensitive or unencrypted. Lifecycle configurations can ensure that unneeded data is promptly and securely disposed of.
- The check violates the following HIPAA rules:
- 164.308(a)(1)(ii)(B)
- 164.308(a)(7)(i)
- 164.308(a)(7)(i)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(A)
- 164.308(a)(7)(ii)(B)
- 164.308(a)(7)(ii)(B)
- 164.312(a)(2)(ii)
- 164.312(c)(1)
- 164.312(c)(2)
Ensure S3 buckets should have event notifications enabled
Ensure S3 buckets should have event notifications enabled
- Enabling event notifications on S3 buckets is crucial as it alerts the administrators about any changes or activities in the bucket, increasing visibility and enabling faster response to potential security threats or data breaches.
- S3 bucket event notifications contribute to maintaining data integrity by triggering workflows or automated processes in response to specific events, ensuring that any modifications, deletions, or other activities do not go unaddressed.
- With this policy, all S3 bucket operations are monitored which assists in auditing and regulatory compliance needs by keeping a record of all actions performed on the data, who performed them, and when they were performed.
- The policy of enabling event notifications reduces the reliance on manual checking and lowers the risk of human error, as it utilizes Terraform and AWS S3 bucket resource to automate notifications for any changes, ensuring improved security and efficiency.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(ii)(A)
- 164.308(a)(3)(ii)(A)
- 164.312(b)
- 164.312(b)
- 164.312(b)
Ensure KMS key Policy is defined
Ensure KMS key Policy is defined
- Ensuring a KMS key Policy is defined helps in managing cryptographic keys that are used to encrypt data. Undefined key policies leave resources vulnerable to unintended access or use.
- The policy’s importance also lies in reinforcing role-based access control (RBAC) for the entities ‘aws_kms_key’, by validating who can use the keys and for what operations, therefore enhancing security and user account management in the AWS environment.
- Clear definitions of the KMS key policy are pivotal in enforcing AWS security best practices. They enable the application, tracking and auditing of robust security policies across the infrastructure, particularly when dealing with sensitive data.
- By using Infrastructure as Code (IaC) like Terraform, automating the definition of KMS key policies enhances operational efficiency as well as the overall security posture by reducing human errors and inconsistencies in configuration.
- The check violates the following HIPAA rules:
- 164.308(a)(3)(i)
- 164.308(a)(3)(ii)(A)
- 164.308(a)(4)(ii)(A)
- 164.308(a)(4)(ii)(B)
- 164.308(a)(4)(ii)(C)
- 164.312(a)(1)
- 164.314(b)(2)(i)