Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ollionorg/cloud-custodian-aws-policies
CloudCustodian Rules engine for cloud security and governance, DSL in yaml for policies to query, filter, and take actions on resources
https://github.com/ollionorg/cloud-custodian-aws-policies
auto-remediation automation aws c7n cloud cloud-security cloud-security-audit cloud-security-posture-management cloudcustodian compliance cspm custodian governance policies security-policies security-tools
Last synced: 9 days ago
JSON representation
CloudCustodian Rules engine for cloud security and governance, DSL in yaml for policies to query, filter, and take actions on resources
- Host: GitHub
- URL: https://github.com/ollionorg/cloud-custodian-aws-policies
- Owner: ollionorg
- License: mit
- Created: 2023-01-16T06:27:09.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-08-25T08:30:43.000Z (about 1 year ago)
- Last Synced: 2024-04-16T14:13:43.057Z (7 months ago)
- Topics: auto-remediation, automation, aws, c7n, cloud, cloud-security, cloud-security-audit, cloud-security-posture-management, cloudcustodian, compliance, cspm, custodian, governance, policies, security-policies, security-tools
- Homepage:
- Size: 271 KB
- Stars: 12
- Watchers: 2
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
 + 
---
# Cloud Custodian Policies for AWS
> powered by GitHub Actions
# Prerequisites
* Quotas limit increased to `200` (minimum) for CloudWatch Event Rules, in each region:
```shell
aws service-quotas request-service-quota-increase \
--service-code events \
--quota-code L-244521F2 \
--desired-value 200
```
* Alerts policies filenames should start with `a-`
* Remediation policies filenames should start with `r-`
---
# Custodian Policy Structure
* Ensure `Account {account_id} - ` is present in the `description` to identify multiple accounts independently.
* Ensure `name` is short and sweet. If the `name` is too long, validation check will fail.
* Ensure role name is not changed as it deployed via terraform in prerequisites.
---
# Using with GitHub Actions
> Ensure [validation.yml](.github/workflows/validation.yml) is being used for sanity
To use the policies with an AWS account, we have to refer the [sample workflow](.github/sample-workflow.yml) file.
The below sample workflow is for `cloudtrail` based policies. Similarly, the workflows can be created for hourly/daily frequencies.
```yaml
name: sample-workflow
on:
push:
branches:
- main
paths:
- policies/cloudtrail/**
defaults:
run:
shell: bash
working-directory: policies/cloudtrail/
env:
AWS_ACCOUNT_ID: "123456789012"
REGION_LIST: |
(
"us-east-1"
"ap-southeast-1"
)
ROLE_NAME: custodian-sample-role
jobs:
CustodianDeployer:
name: Deploy Lambda for CloudTrail Events
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install python3.8
uses: actions/setup-python@v2
with:
python-version: '3.8'
- name: Install Custodian
run: |
pip install c7n
- name: Configure AWS credentials from ${{env.AWS_ACCOUNT_ID}} account
run: |
CREDS=( $(aws sts assume-role --role-arn "arn:aws:iam::${{env.AWS_ACCOUNT_ID}}:role/${{env.ROLE_NAME}}" --role-session-name "${{env.ROLE_NAME}}" --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --duration-seconds 5400 --output text) )
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID=${CREDS[0]}
echo "::add-mask::$AWS_ACCESS_KEY_ID"
echo AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID >> $GITHUB_ENV
AWS_SECRET_ACCESS_KEY=${CREDS[1]}
echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY >> $GITHUB_ENV
AWS_SESSION_TOKEN=${CREDS[2]}
echo "::add-mask::$AWS_SESSION_TOKEN"
echo AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN >> $GITHUB_ENV
- name: Check Access
run: |
aws sts get-caller-identity
- name: Deploy regional policies
run: |
find . \( -iname "*.yml" -o -iname "*.yaml" \) | { grep -v "route53\|cloudfront\|iam\|s3" || true; } | while read POLICY; do
sed -i 's,REPLACE_WEBHOOK_HERE,${{ secrets.CUSTODIAN_SLACK_WEBHOOK }},g' "$POLICY"
array=${{ env.REGION_LIST }}
for REGION in ${array[*]}; do
custodian run -s /tmp/ -v --cache-period 0 -c "$POLICY" --region "$REGION"
done
done
- name: Deploy global policies
run: |
find . \( -iname "*.yml" -o -iname "*.yaml" \) | { grep "route53\|cloudfront\|iam\|s3" || true; } | while read POLICY; do
sed -i 's,REPLACE_WEBHOOK_HERE,${{ secrets.CUSTODIAN_SLACK_WEBHOOK }},g' "$POLICY"
custodian run -s /tmp/ -v --cache-period 0 -c "$POLICY" --region us-east-1
done
```
### Notes
* Ensure to change `REGION_LIST` inside the workflow file.
* Individual workflow files for each frequency.
* Slack Webhook. This repo will use `CUSTODIAN_SLACK_WEBHOOK` GitHub Secret to replace webhook while deployment.
---
# List of Policies
| Policy Name | Description | Resource Name |
|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|
| r-security-group-ingress-mysql-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress mysql access from 0.0.0.0/0 replace with VPN IP | security-group |
| route53-domain-has-autorenew-enabled | Account 123456789012 - Ensure AWS Route 53 domains have AutoRenew enabled | r53domain |
| r-security-group-ingress-rdp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress rdp access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-ftp20-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress ftp20 access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-ftp20-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress ftp20 access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-ssh-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress SSH access from 0.0.0.0/0 replace with VPN IP | security-group |
| a-vpn-tunnels-status-verify | Account 123456789012 Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status | aws.vpn-connection |
| r-security-group-ingress-ahsp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress ahsp access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-all-tcp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress TCP access from 0.0.0.0/0 replace with VPN IP | security-group |
| r-security-group-ingress-all-udp-access-replace-vpn-ip | Account 123456789012 - VPC security groups should restrict ingress UDP access from 0.0.0.0/0 replace with VPN IP | security-group |
| route53-reg-domain-has-transfer-lock | Account 123456789012 - Ensure AWS Route 53 Registered domain has Transfer lock enabled | r53domain |
| iam-access-key1-rotated-90-days-or-less | Account 123456789012 - Ensure access key1 is rotated every 90 days or less | iam-user |
| no-cmk-is-marked-for-deletion | Account 123456789012 - Ensure CMK KMS is not marked for deletion | kms-key |
| root-account-mfa-enabled-check | Account 123456789012 - Ensure MFA is enabled for the root account | account |
| cmk-use-external-key-material | Account 123456789012 - Ensure CMK KMS uses external key material | kms-key |
| aws-kms-key-rotation-is-enabled | Account 123456789012 - Ensure rotation for customer created CMKs is enabled | aws.kms-key |
| unencrypted-unattached-ebs-are-deleted | Account 123456789012 - Ensure unattached EBS volumes are encrypted | ebs |
| aws-lambda-version-latest-not-custom | Account 123456789012 - Ensure AWS Lambda version is $LATEST and not custom version | aws.lambda |
| a-sagemaker-direct-internet-access | Account 123456789012 - Amazon SageMaker Notebook Instances Should Not Have Direct Internet Access | aws.sagemaker-notebook |
| iam-45-days-unused-keys | Account 123456789012 - Ensure access keys are unused for 45 days are disabled/deleted | iam-user |
| a-secret-manager-no-aws-default-kmsKey-used-check | Account 123456789012 - Ensure no AWS default KMS Key is used to protect Secrets | aws.secrets-manager |
| cloudfront-distributions-aws-waf-enabled | Account 123456789012 - CloudFront Distributions Should Have AWS WAF Enabled | aws.distribution |
| rds-instance-public-accessibility-enable | Account 123456789012 - Ensure that Public Accessibility is set to No for Database Instances | rds |
| elasticache-clusters-data-at-rest-encrypted | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted | elasticache-group |
| cloudtrail-log-file-validation-is-enabled | Account 123456789012 - Ensure CloudTrail log file validation is enabled | aws.cloudtrail |
| a-vpc-network-acl-unused | Account 123456789012 Unused network access control lists should be removed | network-acl |
| r-sns-encrypted-at-rest | Account 123456789012 - Set Encryption On SNS topics | aws.sns |
| list-vpc-in-lambda | Account 123456789012 - list vpc in lambda | lambda |
| check-default-vpc-in-lambda | Account 123456789012 - check default vpc in lambda | vpc |
| throttle-lambdas-in-default-vpc | Account 123456789012 - throttle Lambdas in default VPC | lambda |
| unrestricted-ssh | Account 123456789012 - Ensure security group ingress doesn't allow 0.0.0.0/0 to port 22 | aws.security-group |
| redis-are-in-transit-encrypted | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are In-Transit encrypted | elasticache-group |
| iam-policies-attached-to-groups-roles | Account 123456789012 - Ensure IAM policies are attached only to groups or roles | aws.iam-user |
| aws-security-group-default-deny | Account 123456789012 - Ensure the default security group of every VPC restricts all traffic | aws.security-group |
| es-encryption-at-rest | Account 123456789012 - Amazon Elasticsearch Service Domains Should Have Encryption At Rest Enabled | aws.elasticsearch |
| rest-api-gateway-stage-logging-enabled | Account 123456789012 - API Gateway Stage Logging Should Be Enabled | rest-stage |
| eip-attached | Account 123456789012 - Ensure EIP allocated to VPC are attached to EC2 instances or in-use ENIs | network-addr |
| iam-user-unused-credentials | Account 123456789012 - Ensure user credentials unused for 90 days are disabled/deleted | aws.iam-user |
| rds-instance-enhance-monitoring-enable | Account 123456789012 - Ensure Enhance monitoring is enabled for RDS Database Instance | rds |
| waf-enabled | Account 123456789012 - Ensure Waf enabled on ALB | app-elb |
| r-unused-ec2-eips-removed | Account 123456789012 unused ec2 eip's should be removed | aws.elastic-ip |
| no-managed-policies-attached-iam-users-directly | Account 123456789012 - Ensure no Managed Policies are attached to IAM Users directly | iam-user |
| r-redshift-automatic-snapshots-enabled | Account 123456789012 - Amazon Redshift Clusters Should Have Automatic Snapshots Enabled | redshift |
| rds-automatic-minor-version-upgrades-enabled | Account 123456789012 - RDS Automatic Minor Version Upgrades Should Be Enabled | aws.rds |
| a-elbv2-accesslog-enabled-check | Account 123456789012 - ELBv2 Accesslog Enabled Check | app-elb |
| flow-logs-are-enabled-in-all-region | Account 123456789012 - Ensure VPC flow logging is enabled in all VPCs | vpc |
| a-security-groups-unused | Account 123456789012 - Ensure no unused security groups exists | aws.security-group |
| r-s3-bucket-encryption-set | Account 123456789012 - Ensure S3 bucket encryption is enabled | s3 |
| redis-has-multi-az-failover-enabled | Account 123456789012 - Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature is set to enabled | elasticache-group |
| vpc-sg-opened-only-to-authorized-ports | Account 123456789012 - Ensure security group doesn't have 0.0.0.0/0 ingress except for port 443 | aws.security-group |
| sagemaker-endpoint-configuration-encryption | Account 123456789012 - SageMaker Endpoint Configuration Encryption Should Be Enabled | aws.sagemaker-endpoint-config |
| r-redshift-automatic-upgrades-major-versions-enabled | Account 123456789012 - Amazon Redshift Should Have Automatic Upgrades To Major Versions Enabled | aws.redshift |
| route53-domain-is-not-expired-high | Account 123456789012 - Ensure AWS Route 53 Registered domain is not expired | r53domain |
| unused-iam-with-password-ak-deleted | Account 123456789012 User has no password, User has no ak/sk and User is older than 7 days deleted | iam-user |
| cloudfront-distribution-origin-access-identity-enabled | Account 123456789012 - CloudFront distributions should have origin access identity enabled | aws.distribution |
| es-least-three-data-nodes | Account 123456789012 - Elasticsearch domains should have at least three data nodes | aws.elasticsearch |
| aws-lambda-env-vars-encrypted-at-rest | Account 123456789012 - Ensure AWS Lambda env vars encrypted at rest | aws.lambda |
| rds-backup-enabled | Account 123456789012 - RDS DB Instance Backup Should Be Enabled | aws.rds |
| es-node-to-node-encryption-enabled | Account 123456789012 - Ensure AWS Elasticsearch Service domains are using the latest version of Elasticsearch engine | elasticsearch |
| elasticache-memcache-not-using-default-ports | Account 123456789012 - Ensure that AWS ElastiCache Memcached clusters are not using 11211 port | cache-cluster |
| iam-policies-in-use | Account 123456789012 - Ensure IAM policy are in use | iam-policy |
| cloudfront-distributions-require-encryption-transit | Account 123456789012 - CloudFront distributions should require encryption in transit | aws.distribution |
| s3-account-level-public-access-blocks | Account 123456789012 - Ensure Account level S3 public access block is enabled | aws.account |
| es-has-enabled-slow-logs-to-cw-logs | Account 123456789012 - Ensure AWS Elasticsearch Service domains have enabled the support for publishing slow logs to AWS CloudWatch Logs | elasticsearch |
| aws-log-group-missing-retention-days | Account 123456789012 - Ensure log groups have retention period set | aws.log-group |
| rds-instance-encryption-enable | Account 123456789012 - Ensure Encryption is enabled for the database Instance | rds |
| r-sns-encrypted-at-rest | Account 123456789012 - Set Encryption On SNS topics | aws.sns |
| dynamodb-encrypted-aws-kms | Account 123456789012 - DynamoDB table should be encrypted with AWS KMS | aws.dynamodb-table |
| r-delete-igw-unattached-vpc | Account 123456789012 - Delete internet gateways unattached vpc | internet-gateway |
| no-root-account-access-key-exists | Account 123456789012 - Ensure no root account access key exists | account |
| aws-config-is-enabled-in-all-regions | Account 123456789012 - Ensure AWS Config is enabled in all regions | account |
| elasticache-clusters-in-transit-encrypted | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are In-Transit encrypted | elasticache-group |
| rds-instance-deletion-protection-enable | Account 123456789012 - Ensure Deletion Protection is enabled for RDS DB Instance | rds |
| iam-policy-no-statements-with-admin-access | Account 123456789012 - Ensure IAM policy with no statements with admin access | iam-policy |
| a-elb-classic-connection-draining-check | Account 123456789012 - ELB Connection Draining Check | elb |
| cmk-expiry-set-with-ext-key-material | Account 123456789012 - Ensure that the key expiry is set for CMK with external key material | kms-key |
| iam-allow-all-policy-alert | Account 123456789012 - Ensure IAM policies that allow full administrative privileges are not created | iam-policy |
| cloudtrail-integrated-cloudwatch-logs | Account 123456789012 - Ensure CloudTrail trails are integrated with CloudWatch Logs | cloudtrail |
| a-wafv2-logging-enabled | Account 123456789012 - Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) | aws.wafv2 |
| a-sns-encrypted-at-rest | Account 123456789012 - SNS topics should be encrypted at rest using AWS KMS | aws.sns |
| cloudtrail-logs-are-encrypted-using-kms-cmk | Account 123456789012 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs | aws.cloudtrail |
| a-elb-classic-crosszone-check | Account 123456789012 - ELB CrossZone Check | elb |
| aws-lambda-tracing-is-enabled | Account 123456789012 - Ensure AWS lambda tracing is enabled. | aws.lambda |
| rest-api-gateway-stages-ssl-backend-auth | Account 123456789012 - API Gateway REST API stages should be configured to use SSL certificates for backend authentication | rest-stage |
| s3-bucket-versioning-medium | Account 123456789012 - Ensure versioning is enabled for S3 buckets | s3 |
| es-least-three-dedicated-master-nodes | Account 123456789012 - Elasticsearch domains should be configured with at least three dedicated master nodes | aws.elasticsearch |
| r-apigateway-caching-verify | Account 123456789012 - API Gateway stage caching verify | rest-stage |
| cloudfront-distribution-logging-enabled | Account 123456789012 - CloudFront distribution should have logging enabled | aws.distribution |
| elb-custom-security-policy-ssl-check | Account 123456789012 - Ensure Classic LB SSL listeners are using custom policy | elb |
| iam-password-policy-best-practices | Account 123456789012 - IAM Password Policy Best Practices | account |
| aws-log-group-encryption-at-rest | Account 123456789012 - Log group encryption at rest should be enabled | aws.log-group |
| efs-encryption-has-cmk-for-data-at-rest | Account 123456789012 - Ensure CMK is used to encrypt data at rest for EFS | efs |
| elasticache-automatic-backup-retention-period-15 | Account 123456789012 - ElastiCache Redis Cluster Automatic Backup Should Be Enabled With Retention Period Of 15 days Or Greater | elasticache-group |
| aws-iam-ssl-tls-expired-certs-alert | Account 123456789012 - SSL/TLS Certificate that are already expired | iam-certificate |
| dms-instance-not-publicly-accessible | Account 123456789012 - DMS replication instances should not be publicly accessible | aws.dms-instance |
| r-redshift-enhanced-vpc-routing-enabled | Account 123456789012 - Amazon Redshift Clusters VPC Routing Enabled | redshift |
| ec2-instance-detailed-monitoring-enabled | Account 123456789012 - EC2 instance detailed monitoring should be enabled | ec2 |
| rest-api-gateway-stage-associated-aws-waf-web-acl | Account 123456789012 - API Gateway Should Be Associated With An AWS WAF Web ACL | rest-stage |
| ami-owned-by-an-aws-account-are-encrypted | Account 123456789012 - Ensure AMIs owned by an AWS account are encrypted | ami |
| s3-public-rw-prohibited | Account 123456789012 - Ensure S3 bucket prohibite public read or write access | s3 |
| rds-cluster-deletion-protection-enable | Account 123456789012 - Ensure Deletion Protection is enabled for RDS DB Cluster | rds-cluster |
| ec2-instance-ebs-optimization-enabled | Account 123456789012 - EC2 instance should have EBS optimization enabled | ec2 |
| root-account-hardware-mfa-enabled-check | Account 123456789012 - Ensure hardware MFA is enabled for the root account | account |
| cloudFront-distributions-default-root-object | Account 123456789012 - CloudFront Distributions Should Have A Default Root Object Configured | aws.distribution |
| iam-access-key1-rotated-45-days-or-less | Account 123456789012 - Ensure access key1 is rotated every 45 days or less | iam-user |
| acm-certificate-expiration-check | Account 123456789012 - ACM certificates about to expire in 14 days | acm-certificate |
| no-key-pair-present-in-aws-account | Account 123456789012 - Ensure no key pair present in aws account. | aws.key-pair |
| password-policy-check-pwd-reuse-prevention | Account 123456789012 - Ensure that the IAM Password Policy prevents a new password from being the same as the last 6 passwords. | aws.account |
| aws-log-group-retention-not-less-than-year | Account 123456789012 - Ensure log groups have retention period at least a year | aws.log-group |
| unrestricted-common-ports | Account 123456789012 - Ensure SG ingress doesn't allow 0.0.0.0/0 to ports 20,21,22,139,445,3306 or 3389 | aws.security-group |
| es-encrypted-tls-1-2 | Account 123456789012 - Connections to Elasticsearch domains should be encrypted using TLS 1.2 | aws.elasticsearch |
| aws-log-group-missing-retention-days-remediate | Account 123456789012 - Ensure log groups have retention period set | aws.log-group |
| elasticache-redis-not-using-default-ports | Account 123456789012 - Ensure that AWS ElastiCache redis clusters are not using 6379 port | elasticache-group |
| iam-90-days-unused-keys | Account 123456789012 - Ensure access keys are unused for 90 days are disabled/deleted | iam-user |
| redis-clusters-are-encrypted-at-rest | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted | elasticache-group |
| r-redshift-encryption-enabled | Account 123456789012 - Redshift cluster audit logging and encryption should be enabled | aws.redshift |
| r-redshift-prohibit-public-access | Account 123456789012 - Amazon Redshift Clusters Should Prohibit Public Access | aws.redshift |
| copy-tags-volume-to-ebs-snapshots | r-ebs-snapshots-create-encrypted | Account 123456789012 - copy tags volume to ebs snapshots |
| Account 123456789012 - Create encrypted ebs snapshot remove unencrypted ebs | ebs-snapshot | ebs-snapshot |
| a-lambda-should-in-vpc | Account 123456789012 - Lambda functions should be in a VPC | lambda |
| cloudwatch-alarm-action-should-be-enabled | Account 123456789012 - CloudWatch alarm action should be enabled | aws.alarm |
| a-rds-aurora-clusters-backtracking-enabled | Account 123456789012 - Amazon Aurora clusters should have backtracking enabled | rds-cluster |
| internet-gateway-authorized-vpc-only | Account 123456789012 - Ensure Internet Gateway has authorized VPC | internet-gateway |
| a-elb-accesslog-enabled-check | Account 123456789012 - ELB Accesslog Enabled Check | elb |
| rds-cluster-encryption-enable | Account 123456789012 - Ensure Encryption is enabled for the RDS cluster | rds-cluster |
| dynamodb-point-in-time-recovery | Account 123456789012 - DynamoDB Table Point-In-Time Recovery Should Be Enabled | aws.dynamodb-table |
| redshift-cluster-public-access-check | Account 123456789012 - Ensure Redshift Cluster are not publicly accessible | redshift |
| kms-cmk-marked-for-deletion | Account 123456789012 - Ensure KMS CMK is not marked for deletion | kms-key |
| vpc-default-security-group-closed | Account 123456789012 - Ensure default security group of any VPC does not allow inbound or outbound traffic | aws.security-group |
| s3-mfa-delete-enabled | Account 123456789012 - Ensure MFA Delete Is Enabled On S3 Buckets | aws.s3 |
| r-apigateway-stage-cache-data-encrypted | Account 123456789012 - API Gateway REST API cache data should be encrypted at rest | rest-stage |
| r-elbv2-enabled-drop-http-headers | Account 123456789012 - ELBv2 Enabled Drop HTTP Headers | app-elb |
| efs-encryption-is-enabled-for-data-at-rest | Account 123456789012 - Ensure EFS Encryption is enabled for data at rest | efs |
| a-sagemaker-notebook-encryption | Account 123456789012 - Sagemaker Notebook Instance Encryption Missing. | aws.sagemaker-notebook |
| elasticsearch-node-to-node-encryption | Account 123456789012 - Ensure Elasticsearch has node to node encryption enabled | aws.elasticsearch |
| r-s3-enable-versioning | Account 123456789012 - s3 enable versioning | s3 |
| r-rest-api-gateway-stages-x-ray-tracing-enabled | Account 123456789012 - API Gateway REST API Stages should Have AWS X-Ray Tracing Enabled | rest-stage |
| r-elb-delete-unused | Account 123456789012 - Delete unused ELB | elb |
| redshift-cluster-tls-ssl-check | Account 123456789012 - Ensure Redshift Cluster require_ssl is not false | redshift |
| es-node-to-node-encryption-enabled | Account 123456789012 - Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service domains | elasticsearch |
| s3-access-logging-is-enabled | Account 123456789012 - Ensure Server access logging is enabled | s3 |
| a-redshift-audit-logging-enabled | Account 123456789012 - Redshift Cluster Audit Logging Should Be Enabled | aws.redshift |
| cloudtrail-is-enabled-all-region | Account 123456789012 - Ensure CloudTrail is enabled in all regions | aws.cloudtrail |
| r-aws-lambda-tracing-is-enabled | Account 123456789012 - Ensure AWS lambda tracing is enabled. | aws.lambda |
| root-account-hardware-mfa-enabled-check | Account 123456789012 - Ensure hardware MFA is enabled for the root account | account |
| a-rds-cluster-snapshot-shared-with-account | Account 123456789012 - Ensure RDS cluster snapshot is not shared with any aws account | rds-cluster-snapshot |
| a-elasticache-snapshot-copies-to-s3 | Account 123456789012 - Ensure Elasticache snapshot is not copied to S3 Bucket | cache-snapshot |
| a-rds-public-snapshot | Account 123456789012 - Ensure RDS Snapshot is not shared with public | rds-snapshot |
| a-rds-instance-access-to-public | Account 123456789012 - Ensure RDS instances are not publicly accessible | rds |
| a-s3-bucket-settings-for-public-is-set | Account 123456789012 - Ensure bucket settings are proper for public access | s3 |
| a-route53-has-autorenew-enabled | Account 123456789012 - Ensure AWS Route 53 domains have AutoRenew enabled | r53domain |
| a-s3-deny-bucket-policy-grant-access-to-all | Account 123456789012 - S3 Bucket Policy deny Access to Everyone | s3 |
| a-ec2-ami-creation-alert | Account 123456789012 - AMI Creation alert | ami |
| a-ec2-public-ami | Account 123456789012 - Ensure AMIs are not shared with public | ami |
| a-ec2-unattached-ebs-are-encrypted | Account 123456789012 - Ensure unattached EBS volumes are encrypted | ebs |
| a-ec2-public-ebs-snapshot | Account 123456789012 - Ensure EBS snapshot is not publicly accessible | ebs-snapshot |
| a-s3-server-side-encryption-is-enabled-for-s3-bucket | Account 123456789012 - Ensure Server Side Encryption is enabled | s3 |
| a-s3-bucket-acl-grant-access-to-all-or-auth-users | Account 123456789012 - S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users | s3 |
| ami-shared-with-other-account | Account 123456789012 - Ensure AMI is not shared with any aws account | ami |
| a-rds-public-cluster-snapshot | Account 123456789012 - Ensure RDS Cluster Snapshot is not shared with public | rds-cluster-snapshot |
| a-s3-access-logging-is-enabled-for-s3-buckets | Account 123456789012 - Ensure Server access logging is enabled | s3 |
| a-s3-versioning-is-enabled-for-s3-buckets | Account 123456789012 - Ensure versioning is enabled for S3 buckets | s3 |
| a-ec2-ebs-snapshot-shared-with-account | Account 123456789012 - Ensure EBS snapshot is not shared with any aws account | ebs-snapshot |
| a-redshift-snapshot-shared-with-account | Account 123456789012 - Ensure Redshift Cluster Snapshot is not shared with another account | redshift-snapshot |
| a-route53-reg-domain-has-transfer-lock | Account 123456789012 - Ensure AWS Route 53 Registered domain has Transfer lock enabled | r53domain |
| r-ec2-ami-shared-with-account | Ensure public launch permission from AMI are removed | ami |
| a-rds-snapshot-shared-with-account | Account 123456789012 - Ensure RDS snapshot is not shared with any aws account | rds-snapshot |
| a-iam-mfa-enable-users-with-console-password | Account 123456789012 - Ensure MFA must be enabled for all user accounts that have a console password. | aws.iam-user |
| a-firehose-delivery-stream-encryption-sse-configured | Account 123456789012 - Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured | firehose |
| a-s3-bucket-settings-for-public-is-set | Account 123456789012 - Ensure bucket settings are proper for public access | s3 |
| a-redis-clusters-are-encrypted-with-cmk | Account 123456789012 - Ensure that AWS ElastiCache Redis clusters are Data At-Rest encrypted with CMK | elasticache-group |
| a-elb-clb-is-not-using-unencrypted-protocol | Account 123456789012 - Classic ELB is using unencrypted protocol | elb |
| a-redis-clusters-are-auth-enabled | Account 123456789012 - Ensure AWS ElastiCache Redis cluster with Redis AUTH feature is enabled | elasticache-group |
| r-s3-server-side-encryption-is-enabled | Account 123456789012 - Ensure Server Side Encryption is enabled | s3 |
| a-firehose-delivery-stream-encryption-config-has-cmk | Account 123456789012 - Ensure AWS Kinesis Data Firehose delivery stream with Direct PUT and other sources as source has Server-side encryption configured with KMS Customer Managed Keys | firehose |
| r-security-group-default-sg-remove-permissions | Account 123456789012 - Ensure default security group of any VPC does not allow inbound or outbound traffic | security-group |
| a-s3-acl-access-to-all-or-auth-users | Account 123456789012 - S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users | s3 |
| a-s3-deny-bucket-policy-access-to-all | Account 123456789012 - S3 Bucket Policy deny Access to Everyone | s3 |
| r-s3-policy-enforces-encryption-in-transit | Account 123456789012 - Ensure that bucket policy enforces encryption in transit | s3 |
| a-elb-listener-is-not-using-unencrypted-protocol | Account 123456789012 - Ensure ELB are not using unencrypted protocol | app-elb |
| r-security-group-unused-sg-remove | Account 123456789012 - Ensure remove unused security group | security-group |
| r-enable-vpc-flowlog-on-vpcs | Account 123456789012 - Ensure that each VPC has VPC FlowLogs enabled | vpc |
| a-s3-server-side-encryption-is-enabled | Account 123456789012 - Ensure Server Side Encryption is enabled | s3 |
| r-cloudwatch-set-log-group-retention | Account 123456789012 - Set log group retention on cloudwatch | log-group |