Compliance
RBI Baseline Cyber Security and Resilience Requirements
Ensure all data stored in the Elasticsearch is securely encrypted at rest
Ensure all data stored in the Elasticsearch is securely encrypted at rest
- This policy helps to protect sensitive information from unauthorized access by encrypting all data at rest in Elasticsearch. This adds an extra layer of security, making it difficult for intruders to read and utilize the data if they somehow get access to storage.
- Ensuring encryption at rest for Elasticsearch data can help organizations comply with regulatory standards like GDPR or HIPAA, which require specific measures for protecting data and may result in penalties if not followed.
- Implementing this policy would also improve system reliability by minimizing the potential attack surface for exploits that can steal unprotected data, thereby adding an extra layer of defense against data breaches and leaks.
- Encrypting data at rest can also prevent data corruption, as encryption can add redundancy checks that ensure data integrity and prevent accidental alterations or deletions. This could potentially save the organization from enormous reparation costs and loss of customer confidence.
Ensure all Elasticsearch has node-to-node encryption enabled
Ensure all Elasticsearch has node-to-node encryption enabled
- Ensuring all Elasticsearch nodes have node-to-node encryption enabled provides an additional security layer against unauthorized access and data breaches. Without node-to-node encryption, the data transmitted between Elasticsearch nodes could be intercepted and read, posing a significant security risk.
- Enabling node-to-node encryption in Elasticsearch helps organizations meet compliance requirements. Many industries have regulations that mandate the encryption of data both in transit and at rest, so enabling this feature can help companies in regulated industries stay within compliance guidelines.
- Configuring Elasticsearch without node-to-node encryption may lead to data leakage, providing cybercriminals with sensitive information. Once the information has been leaked, it can have severe effects on both the organization’s reputation and its financial status.
- Implementing this policy can prevent potential network eavesdropping attacks by encrypting communication between Elasticsearch nodes. This kind of attack can be conducted by an attacker with access to the network to intercept and even potentially manipulate data packets being transmitted between nodes.
Ensure IAM password policy prevents password reuse
Ensure IAM password policy prevents password reuse
- The policy ensures that users can’t reuse old passwords, thereby reducing the risks related to compromised passwords. If a hacker gets access to old passwords, they won’t be able to use them.
- This policy improves the security posture of the AWS IAM, as enforcing unique passwords for accounts requires users to constantly change and update their passwords, making it difficult for unauthorized users to gain access.
- Enforcing a no password reuse policy encourages the use of strong and unique passwords among users. This, in turn, makes the system more secure by hardening authentication processes.
- It fosters better password management practices among users, leading to a culture of security consciousness and vigilance against potential cybersecurity threats.
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail log file validation is enabled
- Ensuring CloudTrail log file validation is enabled provides an additional layer of security by verifying that the CloudTrail logs have not been tampered with. This safeguard helps maintain the integrity of logs and the reliability of audit activities in the AWS environment.
- This policy is critical because log file validation allows for the detection of unauthorized changes to log files. If a log file is modified, deleted, or moved from its original location, it will fail validation, notifying admins about potential security breaches.
- The enabled log file validation policy contributes to establishing a robust security posture in AWS. It supports compliance with industry security standards and regulations that require monitoring and logging of activities in the IT infrastructure.
- It can prevent potential data loss situations. If a CloudTrail log file is inadvertently modified or deleted, the log record remains intact because it retains a copy of the content. This policy helps to ensure traceability and accountability of actions made in the AWS environment.
Ensure CloudTrail is enabled in all Regions
Ensure CloudTrail is enabled in all Regions
- Enabling CloudTrail in all regions is important as it provides visibility into user activity by recording actions taken on your AWS infrastructure, thereby increasing transparency and accountability.
- This policy aids in detecting unusual or unauthorized activities by allowing you to review detailed CloudTrail event logs that track every API call made across all regions, providing an additional layer of security.
- It facilitates compliance with various regulations by providing an auditable record of all changes and administrative actions on AWS resources across every region, increasing the traceability and meeting various IT governance requirements.
- Disabling CloudTrail in any region could result in not detecting potential security threats in those regions. This could seriously harm the organization’s valuable resources and data, making this policy crucial for maintaining and improving overall security posture.
Ensure CloudTrail logging is enabled
Ensure CloudTrail logging is enabled
- Enabling CloudTrail logging is crucial for auditing and monitoring activities in your AWS environment. It records and retains event log files of all API activity, which is essential in detecting suspicious activity or identifying operational issues.
- This policy helps in ensuring compliance with numerous cybersecurity standards and audits. CloudTrail logging can be utilised as evidence for demonstrating compliance with internal policies or external regulations by providing a history of actions, changes, and events.
- Implementing this policy means that even in the case of a security incident, having enabled CloudTrail logging offers the ability to conduct thorough forensic analysis. It allows the security team to trace back the actions of an attacker or determine the cause of an incident.
- Without enforcing this policy, organisations are exposed to an increased risk of undetected security breaches. Unidentified malicious activities or unauthorized changes in infrastructure could lead to data leaks, service disruptions, or additional costs due to the misuse of resources.
Ensure ELB Policy uses only secure protocols
Ensure ELB Policy uses only secure protocols
- This policy ensures that Elastic Load Balancing (ELB) only uses secure protocols, fortifying the defense of data transmitted between the client and the load balancer, reducing the risk of data breach.
- With secure protocols, it guards against attacks like surveillance, data modification, and spoofing by lowering the chance of unencrypted or weakly encrypted data being intercepted or tampered.
- Using insecure protocols can lead to non-compliance with data protection regulations like GDPR or HIPAA, resulting in severe legal and financial consequences. This policy helps in maintaining compliance with such regulations.
- Implementing this policy via Infrastructure as Code (IaC) approach using Terraform allows for scalable, repeatable, and efficient security configuration across various AWS load balancer policies, enhancing the overall security posture.
Ensure EFS is securely encrypted
Ensure EFS is securely encrypted
- Ensuring that EFS (Elastic File System) is securely encrypted helps protect sensitive data stored in the AWS EFS, providing an extra layer of safety against unauthorized access and data breaches.
- Enforcing this policy can significantly enhance the security posture of the AWS environment since EFS, primarily used for sharing data across multiple instances, without encryption, can expose sensitive data to potential eavesdropping activities.
- Compliance with regulations: Many industries and jurisdictions have mandatory data protection laws and regulations that require encryption-at-rest for certain types of data. Implementing EFS encryption ensures compliance with such regulatory requirements.
- This policy, implemented via Infrastructure as Code (IaC) such as Cloudformation, enables automated, repeatable, and scalable encryption process which will reduce manual errors and overhead of manual configuration, thus improving efficiency while assuring compliance continuously.
Ensure IAM policies that allow full - administrative privileges are not created
Ensure IAM policies that allow full - administrative privileges are not created
- Restricting the creation of IAM policies that allow full “
*-*” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions. - Without this policy, there could be unrestricted access across all services within the AWS environment, increasing the risk of inadvertent modifications or deletions, possibly leading to business disruption, data loss or service unavailability.
- Overly permissive IAM policies could potentially open up avenues for security breaches. A hacker who gains access to these permissions could take control of the entire AWS account, stealing sensitive information, or injecting malicious code.
- Imposing this security policy encourages the adoption of role-based access control (RBAC), increasing accountability and enforceability. This can help an organization monitor and audit user actions more effectively and detect policy violations promptly.
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
- This security policy is important as it restricts the use of the AWS AdministratorAccess policy to IAM roles, users, and groups. This limits the access and control over AWS resources, thus minimizing the risk of unauthorized or destructive actions by reducing the attack surface.
- By enforcing this policy, you can implement the principle of least privilege. This practice states that a user should have the minimal levels of access – or permissions – to perform his/her job functions. This prevents potential misuse of excessive permissions.
- The policy reduces the risk of a single point of compromise by not letting any specific IAM user, group, or role have complete admin access. If one account is compromised, the impact is limited because the attacker does not automatically gain full control of the entire AWS environment.
- This policy impacts organizational security by holding individual users accountable for their actions with clearly defined permissions and roles. This allows for better monitoring and auditability of activities, thereby improving the ability to detect abnormal or suspicious behavior promptly.
Disallow policies from using the AWS AdministratorAccess policy
Disallow policies from using the AWS AdministratorAccess policy
- The policy ensures restricted access to AWS services as granting AdministratorAccess can lead to an over-privilege scenario, where a user, group, or role receives more access than necessary, posing a significant security risk.
- It helps maintain the principle of least privilege (PoLP), which is crucial because minimizing the potential impact of credential compromise can help protect information and systems from unauthorized use, data loss, or malicious activities.
- This policy mitigates risk as attaching the AWS AdministratorAccess policy effectively provides full permissions to all AWS services and resources, potentially enabling accidental alterations or deletions in the infrastructure, ultimately affecting service integrity and reliability.
- Furthermore, it reinforces accountability and auditing requirements, as access rights and activities can be traced back to individual users or services. Without this limitation, tracking unauthorized or malicious activities becomes complicated, hindering incident response and forensic investigations.
Ensure all data stored in RDS is not publicly accessible
Ensure all data stored in RDS is not publicly accessible
- This policy safeguards sensitive information by ensuring no unauthorized users can access the data stored in RDS, thereby reducing the risk of data breaches and maintaining the confidentiality and integrity of the data.
- It helps in mitigating potential legal and financial repercussions. If sensitive data such as personal identifiable information (PII) gets breached, the company might face heavy penalties and damage of reputation.
- Enforcing this policy aligns with the best practices for data security in cloud computing environments, especially within AWS, fostering trust among stakeholders, clients and regulatory bodies.
- By automatically blocking public access through Infrastructure as Code (IaC) methods like Cloudformation, the policy minimizes human error and the risk associated with manual configuration adjustments, thus enhancing the overall security posture of the cloud environment.
Ensure that RDS clusters have deletion protection enabled
Ensure that RDS clusters have deletion protection enabled
- Enabling deletion protection on RDS clusters prevents accidental deletion of critical data, ensuring the continuity of business operations and reducing potential downtime due to data loss.
- This policy ensures that organizational standards for data protection and disaster recovery are adhered to, which can be particularly important for compliance with regulations like GDPR and HIPAA.
- By using Infrastructure as Code (IaC) with Terraform to enforce this policy, organizations can automate and standardize protection settings across all RDS clusters, reducing the likelihood of human error.
- Disabling deletion protection can expose the system to potential risks such as data tampering and cyber attacks; therefore, adhering to the policy aids in maintaining the integrity and security of the system.
Ensure Elasticsearch Domain enforces HTTPS
Ensure Elasticsearch Domain enforces HTTPS
- Ensuring Elasticsearch Domain enforces HTTPS enhances the security of data in transit between the client and the server by encrypting it, which helps prevent unauthorized access and tampering.
- This policy safeguards sensitive information in Elasticsearch Domain from being exposed during transmission, reducing the risk of data breaches or leaks due to eavesdropping on network traffic.
- Non-compliance with this policy could potentially leave the Elasticsearch domains vulnerable to man-in-the-middle attacks where attackers could hijack the connection and steal sensitive information.
- Implementing this policy via Infrastructure as Code (IaC) with CloudFormation allows for scalability, repeatability and helps maintain a secure configuration regardless of the environment size or complexity.
Ensure the S3 bucket has access logging enabled
Ensure the S3 bucket has access logging enabled
- Enabling access logging for the S3 bucket provides detailed records for the requests made to this bucket. This is essential as it helps track any changes made to the bucket and allows for easy tracing of the activities in the event of security breaches or for general auditing.
- It helps protect against unauthorized access or data breaches by keeping track of all the access requests including the source, time of access, the object that was accessed, and the action performed. Identifying any unexpected behavior or malicious activity becomes more efficient.
- This access log can serve as a research base when working towards compliance with different standards or legal requirements. Companies with significant regulatory burdens can use these logs to establish patterns, corroborate events, or provide evidence in support of an investigation.
- This policy will also provide a hindsight into the bucket’s typical usage patterns and help identify any unnecessary or redundant access actions. Such an understanding can lead to optimization of operations and cost management in relation to data storage and management in an AWS environment.
Ensure rotation for customer created CMKs is enabled
Ensure rotation for customer created CMKs is enabled
- Enabling rotation for customer created CMKs (Cloud Management Keys) in AWS enhances the security of your AWS services by making it difficult for unauthorized entities to decode the encrypted data, even if they manage to get old CMKs.
- Following this policy reduces the risk of a single key being compromised and potentially leading to a security breach, as the keys regularly rotate and retire, making them obsolete for deciphering data.
- The implementation of this policy ensures compliance with security best practices and regulations, such as GDPR and PCI DSS, which require key rotation for cryptographic keys to maintain data privacy.
- Failure to adhere to this policy could result in security vulnerabilities, increased penetration risks, non-compliance fines by regulatory bodies, and potential reputation damage due to data breaches.
Ensure VPC subnets do not assign public IP by default
Ensure VPC subnets do not assign public IP by default
- Implementing this policy helps in reducing overall attack surface, as limiting the assignment of public IP addresses to VPC subnets by default reduces the number of potential targets that malicious actors can exploit.
- It ensures an additional layer of security by controlling and monitoring the entities in the network that communicate with public networks, thereby limiting potential unauthorized access and data breaches.
- Enforcing this policy results in network traffic to flow through designated points, creating an opportunity for centralized inspection, logging, auditing, and possible intrusion detection, which further strengthens the security posture.
- This policy could also lead to cost savings as unnecessary assignment of public IPs could lead to unwanted egress data transfer charges. It promotes a financially efficient use of resources while maintaining optimal security.
Ensure Kinesis Stream is securely encrypted
Ensure Kinesis Stream is securely encrypted
- Ensuring Kinesis Stream encryption is crucial because it protects sensitive data from unauthorized access and breaches by encrypting all the data records using AWS Key Management Service (KMS) keys.
- It safeguards the confidentiality and integrity of the data transmitted through the stream, thereby ensuring that information isn’t compromised if intercepted during transit or at rest.
- Implementing this policy via Infrastructure as Code (IaC) using Cloudformation allows for better scalability, manageability, and consistency, preventing misconfigurations that could leave the data vulnerable.
- Non-compliance to this policy could lead to regulatory fines if found in violation of standards like GDPR or HIPAA, which require robust measures for protection of personal data.
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
- This policy ensures that Kinesis Video Stream data is robustly encrypted for higher security, quantifying potential risks of data breaches or cyber attacks that target and exploit improperly guarded information.
- Leveraging a customer managed Key (CMK) provides further control and flexibility, allowing users to define how the encryption keys are generated, used and rotated, enhancing the overall ownership and management on data security.
- The policy helps in compliance with regulatory standards and legal obligations pertaining to data privacy and protection, like GDPR and HIPAA, that necessitate stringent data safeguarding measures.
- Implementing this policy through Infrastructure as Code (IaC) with tools like Terraform makes it easier and more efficient to apply across wide-ranging AWS services, enabling faster deployment, easier auditing, and consistent application of security measures.
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
- This policy ensures that data flowing through the Kinesis Stream is securely encrypted using a Customer Managed Key (CMK), protecting sensitive information from unauthorized access.
- The CMK encryption method enhances the security level as it gives the user more control over the encryption keys unlike the default AWS managed keys, thus preventing potential access by unwanted or unauthorized entities.
- Implementing this policy through Infrastructure as Code (IaC) using Terraform eliminates manual errors, streamlines security deployment across multiple Kinesis streams, and ensures consistency in enforcing security practices.
- Non-compliance with this policy can lead to potential data breaches, compliance issues, and significant reputational and financial loss if sensitive data is exposed.
Ensure Kinesis Firehose delivery stream is encrypted
Ensure Kinesis Firehose delivery stream is encrypted
- This policy ensures that data being streamed through the Kinesis Firehose delivery stream is encrypted, enhancing the confidentiality and integrity of the data being transmitted.
- Enabling encryption on Kinesis Firehose Delivery Stream provides an additional layer of security and prevents unauthorized access to sensitive information, thereby complying with data protection regulations and standards.
- Non-compliance with this policy could result in potential data breaches, legal consequences, brand reputation damage, and losing customer trust if sensitive data is left unprotected in the stream.
- The policy is implemented using Infrastructure as Code (IaC) tool, Terraform which allows automated and consistent deployment of such security controls across the infrastructure. This greatly reduces the chances of manual error and oversight in security implementation.
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK
- This policy ensures that data being transmitted via Kinesis Firehose Delivery Streams is encrypted, making it less likely to be readable or usable by unauthorized entities, hence increasing data confidentiality.
- Utilization of Customer Master Keys (CMK) for encryption elevates protection further as CMKs are specific to each user and therefore not easily deciphered by third parties.
- If not implemented properly, unencrypted or poorly encrypted data in the Kinesis Delivery Streams could lead to breaches of sensitive or critical information, potentially causing substantial reputation and monetary damage.
- Implementing and enforcing this policy with Infrastructure as Code (IaC) using Terraform ensures consistency and uniformity in security across all Kinesis Firehose Delivery Streams, reducing the risk of human errors or oversights.
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK
- This policy ensures that the storage used for streaming video through Kinesis on AWS Connect instances is properly encrypted using a Customer Master Key (CMK), adding an extra layer of security to protect sensitive data from unauthorized access.
- By enforcing CMK usage, the policy allows for greater control over the cryptographic keys, as AWS clients can choose to have AWS manage keys on their behalf, or manage keys on their own both in AWS Key Management Service and on-premises.
- Implementing the policy in Terraform ensures consistent and automated deployment, reducing human error and streamlining operations within a secure environment, thereby facilitating compliance with security best practices and standards.
- Non-compliance with this policy could potentially expose sensitive video data to cyberthreats, leading to data breaches and non-compliance with regulatory requirements, which may result in significant financial and reputational damage for the organization.
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
- Ensuring that Elastic Load Balancer uses SSL certificates provided by AWS Certificate Manager enhances data security by encrypting the data during transmission. This makes it difficult for potential attackers to intercept sensitive information.
- AWS Certificate Manager provides a centralized way to manage and deploy SSL certificates, thus this policy simplifies certificate administration tasks such as procurement, deployment, renewal, and deletion and thereby reduces human error and the subsequent risk of security breaches.
- Since AWS Certificate Manager automatically handles renewals, the policy would prevent any overlooked expirations of certificate that could lead to lapse in encryption and hence compromise data security.
- Implementing this policy with Infrastructure as Code (IaC) using Terraform facilitates automated compliance checks and policy enforcement - making it easier to maintain, replicate, and scale secure infrastructure setups.
Ensure IAM policies that allow full - administrative privileges are not created
Ensure IAM policies that allow full - administrative privileges are not created
- Restricting the creation of IAM policies that allow full “
*-*” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions. - Without this policy, there could be unrestricted access across all services within the AWS environment, increasing the risk of inadvertent modifications or deletions, possibly leading to business disruption, data loss or service unavailability.
- Overly permissive IAM policies could potentially open up avenues for security breaches. A hacker who gains access to these permissions could take control of the entire AWS account, stealing sensitive information, or injecting malicious code.
- Imposing this security policy encourages the adoption of role-based access control (RBAC), increasing accountability and enforceability. This can help an organization monitor and audit user actions more effectively and detect policy violations promptly.
Ensure no IAM policies documents allow * as a statement's actions
Ensure no IAM policies documents allow * as a statement's actions
- This policy ensures that overly broad permissions aren’t given out, which could lead to unauthorized access. By stopping the usage of “
*” as a statement’s actions in IAM policies, it ensures that permissions are granted only to specific resources and actions. - Enforcing this rule prevents potential misuse or exploitation, reducing the risk of a major data breach. If compromised, an overly permissive policy can lead to substantial damage inside the AWS Infrastructure.
- Ensuring no IAM policies allow “
*” as a statement’s actions promotes the best practice of least privilege, meaning that users, roles, or services are granted only the minimum permissions necessary to perform their tasks. This significantly minimizes the potential impact if a security breach does occur. - An IAM policy that allows “
*” as a statement’s actions is not compliant with industry standards and regulatory frameworks such as ISO 27001, PCI-DSS, or GDPR, potentially leading to legal implications and penalties. The enforcement of this rule keeps the infrastructure compliant.
Ensure AWS IAM policy does not allow full IAM privileges
Ensure AWS IAM policy does not allow full IAM privileges
- Ensuring AWS IAM policy does not allow full IAM privileges helps to reduce the risk of unauthorized access and data breaches. By limiting the powers of each IAM role, you make sure that even if an attacker somehow gains access to your AWS account, they will not have full control over all resources.
- The existence of full IAM privileges within your AWS infrastructure makes it difficult to track and manage access to resources. It violates the principle of least privilege, which states that an entity must be able to access only the information and resources necessary for its legitimate purpose.
- Implementing this policy aids in cloud governance and compliance. There might be legal and regulatory standards against giving unlimited access to your data and services, so by preventing full IAM privileges, you ensure your organization remains compliant and avoids potential fines or legal issues.
- Granting full access means that any mistake or misconfiguration could potentially result in large-scale problems. For example, an erroneously executed command could delete all of your resources, or a misconfigured access control could expose your data publicly. By limiting permissions, you’re reducing the likelihood of such catastrophic errors.
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
- This policy ensures the prevention of Log4j message lookup attacks that leverage the critical vulnerability CVE-2021-44228, also known as log4jshell, which can give unauthorized remote code execution access to targeted systems, thus avoiding potential major security breaches.
- Employing this infra security policy aids in protecting any web application associated with the AWS::WAFv2::WebACL resources from possible intrusion attempts, thereby strengthening the overall security posture of the infrastructure.
- When implemented via Infrastructure as Code through Cloudformation, the security policy enhances automation, repeatability, and alleviates the need for manual intervention thereby reducing the risk of human error in ensuring compliance with the policy.
- The policy regulates the AWS WAF to monitor HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, or AWS AppSync GraphQL API, thus relieving the burden on said resources from having to handle potential malicious attempts.
Ensure that RDS global clusters are encrypted
Ensure that RDS global clusters are encrypted
- This policy is important to protect sensitive data stored in the RDS global clusters and to prevent unauthorized access. Encryption aids in maintaining data confidentiality and integrity by converting the original data into an unrecognizable format until it is decrypted.
- By encrypting RDS global clusters, the policy ensures compliance with the data privacy regulations like GDPR, HIPAA, which mandate the use of encryption for sensitive data. Failure to comply can lead to heavy fines and legal penalties.
- Complying with this policy provides an additional layer of defense in the event of a security breach. Even if an attacker gains access to the database, the encrypted data remains unusable unless the attacker also has the corresponding decryption key.
- The policy potentially improves customer trust and the organization’s reputation, as it demonstrates a commitment to maintaining robust security practices. A business operating with encrypted RDS global clusters is less likely to suffer devastating breaches of sensitive data.
Ensure RDS Cluster activity streams are encrypted using KMS CMKs
Ensure RDS Cluster activity streams are encrypted using KMS CMKs
- This policy ensures that RDS Cluster activity streams, which contain potentially sensitive information about database operations and changes, are protected with encryption. This significantly lowers the risk of unauthorized access and data breaches.
- The policy mandates the use of KMS CMKs (Key Management Service Customer Master Keys) for encryption, offering a high level of security. KMS manages the cryptographic keys for users, decreasing their burden of key management while enhancing security.
- If the policy is not adhered to, the RDS Cluster activity stream data could be compromised if intercepted, leading to potential data loss, violation of privacy regulations, and consequential penalties.
- It also sets a standard for infrastructure as code (IaC) approach using Terraform scripts, promoting automation, consistency, and efficiency in security practices across the organization’s infrastructure.
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy expires passwords within 90 days or less
- This policy is significant because it mandates the expiration of IAM account passwords within 90 days or less, encouraging users to frequently change their passwords, thereby minimizing the risk of password-related security breaches.
- It has a direct impact on the integrity of user credentials by lowering the probability of unauthorized access due to often-used or stolen passwords, hence enhancing the security level of the entire aws_iam_account_password_policy entity.
- Implementing this policy using Infrastructure as Code (IaC) tool like Terraform automates password expiration, making the management of the policy more efficient, and reducing potential human error.
- Ensuring a password policy expiration also enables compliance with certain security standards and regulations which require regular password changes, making it crucial for organizations that need to meet these compliance requirements.
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy requires minimum length of 14 or greater
- The policy ensures that passwords used in AWS IAM have a minimum length of 14 characters, making it harder for malicious actors to guess or crack passwords, hence reducing the risk of unauthorized access to AWS resources.
- Implementation of this policy promotes good cyber hygiene, as longer passwords often translate to a significant increase in password combinations, making brute-force attack much less feasible.
- Non-compliance to this policy could potentially lead to exploited security vulnerabilities in infrastructure served by Terraform, thereby putting sensitive data and operations at risk of interference or theft.
- By enforcing a minimum password length of 14 or greater, the policy contributes to the overall robustness of the IAM system, its resilience against cyber threats, and the security of the operations managed on the platform.
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one lowercase letter
- This policy is critical because it demands a higher complexity for IAM passwords by enforcing the use of at least one lowercase letter, reducing the risk of brute force or dictionary attacks.
- It enhances the security of the AWS IAM accounts by making the password harder to guess or crack, hence offering an additional layer of protection against unauthorized access.
- Through increasing requirement for password complexity, it contributes to the conformance of security best practices and compliance requirements which often demand the inclusion of a mix of uppercase and lowercase characters.
- Utilizing Infrastructure as Code (IaC) tools like Terraform helps ensure this policy is consistently applied across all IAM accounts, aspects of the AWS environment, thereby reducing the likelihood of human errors in policy implementation.
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one number
- This policy enhances the security of IAM user accounts by requiring the inclusion of at least one numerical character in the password, making it harder for unauthorized users to guess or crack passwords.
- By implementing this policy via Terraform, it can be ensured that it is applied consistently across the infrastructure, reducing the risk of human error and maintaining the necessary security standard.
- It supports the best practice of password complexity to secure sensitive data and resources in an AWS environment and helps organizations comply with certain regulatory standards that dictate strong password policies.
- The policy can potentially deter or slow down brute-force attacks that guess passwords, as the attackers have to try a larger combination of possibilities, therefore increasing the security of IAM accounts.
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one symbol
- Requiring a symbol in an IAM password policy enhances security by making the password harder to guess or crack by brute-force attacks. Its complexity increases as it requires combinations of alphanumeric and special characters.
- The policy helps to protect critical AWS resources and data as it implies a high standard of security measures are being implemented. Loss of data integrity or data breach might be greatly minimized when tougher password protocols are followed.
- It helps organizations comply with various data protection regulations and standards, such as PCI DSS, GDPR, and ISO 27001, which demand strong access controls, including complex password policies.
- Implementing this policy with Infrastructure as Code (IaC) as Terraform, makes it easier and more efficient to deploy across multiple accounts or regions within AWS environment. Changes can easily be tracked and reversed if necessary.
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one uppercase letter
- This security policy increases the complexity of IAM passwords, making them difficult to guess or crack through methods like brute force attacks, thereby helping to safeguard IAM accounts that are vital to AWS operations.
- If uppercase letters aren’t required in the IAM password policy, it can lead to creation of weak and easily guessable passwords, increasing the risk of unauthorized access which may lead to potential data breaches or misuse of AWS resources.
- With this policy in place, automated tools like Terraform can consistently enforce the requirement of uppercase letters in every IAM password across the various AWS accounts, ensuring uniformity in security practices.
- The consideration of this policy is significant for compliance with various information security standards and regulations which recommend or require passwords to contain a mix of uppercase and lowercase letters along with other character types.
Ensure resource is encrypted by KMS using a customer managed Key (CMK)
Ensure resource is encrypted by KMS using a customer managed Key (CMK)
- Implementing this rule ensures that valuable or sensitive data stored in the ‘aws_fsx_openzfs_file_system’ resource is always encrypted using Key Management Service (KMS) with a customer managed key. This prevents unauthorized users from accessing the information.
- This policy promotes data compliances, as encryption standards are a requirement set by regulations such as GDPR and HIPAA that mandate data to be encrypted both at rest and in transit. Violations of these regulations could lead to hefty penalties.
- Using a customer managed key (CMK) for encryption provides the user with more granular control over the cryptographic keys, which includes key rotation, managing permissions, and auditing how keys are used.
- The policy ensures a greater security measure against data breaches. Since the customer-managed key is used, even if the main AWS service is compromised, the encrypted data stored in the ‘aws_fsx_openzfs_file_system’ would remain secure, reducing the potential impact of hacker’s attacks.
Ensure VPC flow logging is enabled in all VPCs
Ensure VPC flow logging is enabled in all VPCs
- Enabling VPC flow logging in all VPCs provides visibility into the traffic entering and exiting the VPCs, which is essential for monitoring and troubleshooting potential network security issues.
- VPC flow logging is key in auditing and compliance as it records and stores metadata like source and destination IP addresses, packet and byte counts, and TCP flags, amongst others, confirming or refuting compliance with established network policies.
- Without VPC flow logging, real-time and historical analysis of the VPC’s network traffic, which can be crucial in incident response, is impossible, thereby increasing the risk of undetected malicious activities and data breaches.
- The VPCHasFlowLog.yaml Terraform check ensures that the logging is enabled by default and therefore alleviates the manual task of enabling it each time a new VPC is created, making it more difficult for mistakes or oversights to occur that could lead to security vulnerabilities.
Ensure EBS default encryption is enabled
Ensure EBS default encryption is enabled
- Enabling EBS default encryption ensures that all new EBS volumes and snapshot data are automatically encrypted, reducing the risk of data leakage or unauthorized access.
- This policy helps in compliance with regulatory standards and frameworks that require encryption of data at rest such as HIPAA, GDPR, and PCI DSS, such mitigating potential legal and financial implications.
- It significantly simplifies the management and enforcement of data encryption, as administrators do not have to encrypt each and every volume or snapshot manually.
- By enabling encryption by default, this policy enhances data protection in multi-tenant storage environments, reducing the potential exposure of sensitive data in the event of shared resource scenarios.
Ensure all data stored in the EBS is securely encrypted
Ensure all data stored in the EBS is securely encrypted
- This policy ensures that customer data stored in Amazon Elastic Block Store (EBS) volumes is encrypted, providing data security and compliance with regulations that require encryption of sensitive data, thus reducing the risk of data breaches.
- Application of this policy can prevent unauthorized disclosure of information, as all data at rest and moving between EC2 instances and EBS storage is encrypted, adding an extra layer of protection against data leaks or breaches.
- The encryption process incorporates industry standard AES-256 encryption algorithm, providing a robust and secure method of making sure your data on the EBS is unreadable to those without appropriate access permissions.
- An exception to this security policy might expose an organization’s data to potential cybersecurity threats, leading to financial losses, reputation damages, and non-compliance with data protection regulations.
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
- This policy ensures the security of your AWS Elastic Block Store (EBS) snapshots by enforcing encryption with a Customer Managed Key (CMK). This reduces the risk of unauthorized access to your data stored in these snapshots.
- Not encrypting your EBS snapshots with a CMK leaves them vulnerable to data breaches, which can result to heavy financial losses and damage to your business’ reputation. The policy mitigates this risk by mandating encryption.
- The use of a CMK provides you with full control over the key management and lifecycle including creation, rotation, and deletion. This can help your business meet your organization-specific, compliance, and regulatory requirements related to data protection.
- Using Terraform as Infrastructure as Code (IaC) allows you to automate the compliance with this security policy. This can increase efficiency, consistency and allow for ease in scaling without requiring individual manual configuration for each EBS snapshot.
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
- This policy helps protect sensitive data stored on Elastic Block Store (EBS) volumes, as encryption with a customer managed key (CMK) significantly reduces the chances of being compromised or unauthorized access.
- It allows users to have full control over their cryptographic keys by creating, owning, and managing their own CMKs. This is essential for organizations that are required to manage their own cryptographic materials in compliance with specific rules or regulations.
- Any data that is written to the EBS volume, including backups, snapshots, and replicas, is automatically encrypted under this policy. This significantly simplifies data protection procedures and minimizes the possibility of unencrypted data exposure.
- The policy ensures compliance with regulatory standards like HIPAA, GDPR, and PCI DSS which mandate encryption of sensitive data at rest. Non-compliance could lead to legal consequences and reputational damage.
Ensure all data stored in Aurora is securely encrypted at rest
Ensure all data stored in Aurora is securely encrypted at rest
- Ensuring all data stored in Aurora is securely encrypted at rest helps protect sensitive data from unauthorized access, enhancing data security. If an attacker gains physical access to the hardware, they will not be able to use the data without the encryption key.
- This policy conforms to compliance regulatory standards like GDPR, HIPAA, PCI-DSS, and more that require data encryption in specific fields. Failing to encrypt data can lead to heavy fines and legal consequences against these standard rules.
- Encryption at rest increases data integrity and confidentiality. If the data was compromised, it would be of no value without the decryption keys, thereby securing the data even in worst-case scenarios (e.g., data breaches).
- Implementing this policy with Infrastructure as Code (IaC) tool like CloudFormation ensures a standardized and consistent approach towards data encryption in Aurora across all applicable DB Clusters, reducing the risk of human error or overlooking this crucial security aspect.
CloudFront Distribution should have WAF enabled
CloudFront Distribution should have WAF enabled
- Enabling WAF (Web Application Firewall) on CloudFront distribution adds an extra layer of protection by inspecting incoming web traffic and providing a shield against common exploits like SQL Injection and Cross-Site Scripting attacks, thus reducing vulnerability.
- As CloudFront is a content delivery service, a security gap may result in congestion, Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks on assets. Enabling WAF helps prevent such threats, maintaining the availability of services.
- The policy ensures regulatory and compliance requirements are met, especially for businesses processing large amounts of sensitive data, by providing necessary safeguards and traffic controls on the edge locations close to the user.
- The policy encourages the use of Infrastructure as Code (IaC), which allows for automated security checks and prevent vulnerabilities right from the development stage. This allows for quicker threat detection and reduces the risk of human error during manual inspections.
Ensure the default security group of every VPC restricts all traffic
Ensure the default security group of every VPC restricts all traffic
- This policy aims to mitigate the risk of unauthorized access, data breaches, and potential attacks on your infrastructure by ensuring that the default security group of every Virtual Private Cloud (VPC) restricts all traffic unless explicitly allowed, making your environment more secure.
- The policy implements Infrastructure as Code (IaC) using Terraform, facilitating automated and version-controlled security configurations. This not only ensures consistency and reproducibility across multiple environments, reducing human errors, but also enables quick responses to configuration deviations.
- It specifically targets the aws_default_security_group and aws_vpc resources, making it highly relevant for organizations using AWS for cloud services. It ensures that your infrastructural entities are compliant with the best security practices in the industry and adhere to principles of least privilege access.
- By enforcing this policy, organizations not only bolster their defenses against malicious parties but also create a conducive environment for achieving compliances, such as GDPR or HIPAA, which often require stringent traffic control mechanisms. It also allows for easier auditability and accountability within the organization for better governance.
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
- This policy ensures that only specific, authorized services or principals have access to the SNS topic, thereby minimizing the likelihood of unauthorized access and information breach, maintaining data confidentiality.
- By enforcing granular access control, the policy helps to prevent misuse of the SNS topic for the distribution of offensive, harmful, or misleading content by unknown or unauthorized entities, ensuring the credibility and integrity of the messages.
- The policy prevents potential Denial of Service (DoS) attacks where mass requests from public could overwhelm the SNS topic, ensuring service availability for genuine users.
- Utilizing this policy augments regulatory compliance by promoting best-practice security controls, potentially aiding in GDPR, HIPAA, PCI-DSS alignment, and being audit-ready.
Ensure that Amazon EMR clusters' security groups are not open to the world
Ensure that Amazon EMR clusters' security groups are not open to the world
- The policy safeguards the Amazon EMR clusters against unauthorized access and potential security threats by ensuring that their security groups are not openly accessible from anywhere on the internet.
- By enforcing this policy, you protect sensitive, potentially proprietary data from being accessible, thereby preventing data breaches and maintaining compliance with data privacy laws and regulations.
- Implementing this policy via Terraform infrastructure-as-code tools provides streamlined, automated enforcement, reducing the risk of human error in configuration and enhancing overall cluster security.
- Violation of this policy could result in compromised EMR clusters, which can be exploited to launch larger-scale attacks on associated AWS resources, leading to unscheduled downtime, loss of customer trust, and potential financial and reputational damage.
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
- Enabling encryption in transit for EFS volumes in ECS Task definitions ensures the confidentiality and integrity of data as it is passed over networks between the ECS Tasks and EFS file systems. This is particularly relevant when dealing with sensitive information that could be intercepted or corrupted during transmission.
- By applying this policy, any unauthorized modification to the data during transmission will be detected. It prevents ‘man-in-the-middle’ attacks where an intruder intercepts the communication between two points and alters the information.
- ECS Task definitions without encrypting EFS volumes could potentially violate compliance regulations. Enforcing this policy keeps operations within AWS and global security standards, preventing legal ramifications and reputation damage due to non-compliance.
- Additionally, a direct impact of not having this policy could result in increased vulnerability to security breaches, leading to potential financial loss, disruption to operations, and data leaks, which can have severe consequences for businesses.
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
- This policy aims to safeguard sensitive data processed or stored in the SageMaker Notebook by encrypting it at rest using Key Management Service (KMS) Customer Master Key (CMK), reducing the risk of unauthorized access or data exposure.
- Encryption using KMS CMK provides an additional layer of security beyond the default AWS managed keys, as the customer has direct control over the CMK, including its rotation and revocation, increasing data security and compliance standards.
- Failing to use encryption at rest could result in non-compliance with data protection regulations and organizations might face hefty fines or other legal consequences.
- This policy also supports Infrastructure as Code (IaC) practices by leveraging Terraform scripts for resource implementation, allowing efficient deployment, versioning, and management of the AWS resources and security settings.
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
- This policy ensures the integrity and confidentiality of sensitive data by encrypting it when it’s not in use, reducing the risk of data breaches and unauthorized access that could result in severe fines and damage to brand reputation.
- Using secure encryption methods in AWS Sagemaker Endpoint configurations can protect the data against potential threats such as hacking attempts, internal misuse, or inadvertent data leakage, thereby enhancing data privacy and compliance with legal and regulatory data protection standards.
- The policy also provides a security feature to safeguard in-transit data (when moving from one location to another) by enforcing server-side encryption which makes it unreadable until it is decrypted with the correct key.
- With the Infrastructure as Code (IaC) approach such as Terraform, infrastructure becomes easier to manage, audit, and reproduce, facilitating automation of this policy across various stages of the development life cycle, thereby ensuring continuous security and compliance enforcement.
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
- This policy ensures the encryption of the data within the Sagemaker domain, providing additional security measures by preventing unauthorized users from reading or manipulating the data. Encryption effectively renders data useless to those who do not possess the correct decryption key.
- The use of a Customer Managed Key (CMK) provides greater control and flexibility over your AWS KMS keys. This allows you to establish and enforce your own key policies, usage permissions, and its lifecycle, thereby giving you full control over your data security.
- Without this policy, Sagemaker domains could be left vulnerable to data breaches or unauthorized access. This could result in sensitive information being exposed, and can lead to loss of data integrity and breach of compliance requirements.
- Utilizing the Infrastructure as Code (IaC) tool Terraform in the implementation of this policy can lead to more efficient and effective security management processes. This method eliminates risks associated with manual configuration and promotes consistency, repeatability, and scalability of infrastructure across different cloud environments.