Ensure all data stored in the Elasticsearch is securely encrypted at rest
Ensure all Elasticsearch has node-to-node encryption enabled
Ensure IAM password policy prevents password reuse
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail is enabled in all Regions
Ensure CloudTrail logging is enabled
Ensure ELB Policy uses only secure protocols
Ensure EFS is securely encrypted
Ensure IAM policies that allow full - administrative privileges are not created
*
-*
” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions.Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
Disallow policies from using the AWS AdministratorAccess policy
Ensure all data stored in RDS is not publicly accessible
Ensure that RDS clusters have deletion protection enabled
Ensure Elasticsearch Domain enforces HTTPS
Ensure the S3 bucket has access logging enabled
Ensure rotation for customer created CMKs is enabled
Ensure VPC subnets do not assign public IP by default
Ensure Kinesis Stream is securely encrypted
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Firehose delivery stream is encrypted
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
Ensure IAM policies that allow full - administrative privileges are not created
*
-*
” administrative privileges helps in maintaining a principle of least privilege, ensuring only necessary permissions are granted. This significantly reduces the risk of unauthorized access or potential misuse of permissions.Ensure no IAM policies documents allow * as a statement's actions
*
” as a statement’s actions in IAM policies, it ensures that permissions are granted only to specific resources and actions.*
” as a statement’s actions promotes the best practice of least privilege, meaning that users, roles, or services are granted only the minimum permissions necessary to perform their tasks. This significantly minimizes the potential impact if a security breach does occur.*
” as a statement’s actions is not compliant with industry standards and regulatory frameworks such as ISO 27001, PCI-DSS, or GDPR, potentially leading to legal implications and penalties. The enforcement of this rule keeps the infrastructure compliant.Ensure AWS IAM policy does not allow full IAM privileges
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure that RDS global clusters are encrypted
Ensure RDS Cluster activity streams are encrypted using KMS CMKs
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure resource is encrypted by KMS using a customer managed Key (CMK)
Ensure VPC flow logging is enabled in all VPCs
Ensure EBS default encryption is enabled
Ensure all data stored in the EBS is securely encrypted
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
Ensure all data stored in Aurora is securely encrypted at rest
CloudFront Distribution should have WAF enabled
Ensure the default security group of every VPC restricts all traffic
Ensure SNS topic policy is not public by only allowing specific services or principals to access it
Ensure that Amazon EMR clusters' security groups are not open to the world
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
Ensure SageMaker Notebook is encrypted at rest using KMS CMK
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)