AC_AWS_0552 | Ensure MFA is enabled for the "root user" account | AWS | Compliance Validation | HIGH |
AC_AWS_0557 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0558 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | AWS | Security Best Practices | HIGH |
AC_AWS_0571 | Ensure a log metric filter and alarm exist for VPC changes | AWS | Security Best Practices | HIGH |
AC_AWS_0573 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0576 | Ensure private subnets are not used to deploy AWS NAT Gateways | AWS | Data Protection | HIGH |
AC_AWS_0582 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | AWS | Logging and Monitoring | HIGH |
AC_AWS_0584 | Ensure CloudTrail log file validation is enabled | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0589 | Ensure AWS Config is enabled in all regions | AWS | Logging and Monitoring | HIGH |
AC_AWS_0590 | Ensure the default security group of every VPC restricts all traffic | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0595 | Ensure access keys are rotated every 90 days or less | AWS | Identity and Access Management | MEDIUM |
AC_AWS_0596 | Ensure credentials unused for 45 days or greater are disabled | AWS | Compliance Validation | LOW |
AC_AWS_0620 | Ensure there is no policy with wildcards (*) used in principal for Amazon Simple Notification Service (SNS) Topic | AWS | Identity and Access Management | LOW |
S3_AWS_0006 | Ensure bucket policy is enforced with least privileges for all AWS S3 buckets - Terraform Version 1.x | AWS | Identity and Access Management | HIGH |
S3_AWS_0007 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible - Terraform Version 1.x | AWS | Logging and Monitoring | MEDIUM |
S3_AWS_0008 | Ensure that Object-level logging for write events is enabled for S3 bucket - Terraform Version 1.x | AWS | Identity and Access Management | HIGH |
S3_AWS_0011 | Ensure there are no world-listable AWS S3 Buckets - Terraform Version 1.x | AWS | Identity and Access Management | HIGH |
S3_AWS_0012 | Ensure AWS S3 Buckets are not world-listable for anonymous users - Terraform Version 1.x | AWS | Identity and Access Management | HIGH |
AC_AWS_0139 | Ensure password policy requires rotation every 60 days or less for AWS IAM Account Password Policy | AWS | Compliance Validation | LOW |
AC_AWS_0145 | Ensure that full access to edit IAM Policies is restricted | AWS | Identity and Access Management | HIGH |
AC_AWS_0386 | Ensure that inline policy does not expose secrets in AWS Secrets Manager | AWS | Security Best Practices | HIGH |
AC_AWS_0626 | Ensure CloudTrail is enabled in all regions | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0004 | Ensure AWS Certificate Manager (ACM) certificates are renewed 45 days before expiration date | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0006 | Ensure Amazon Machine Image (AMI) is not shared among multiple accounts | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0007 | Ensure detailed CloudWatch Metrics are enabled for AWS API Gateway Method Settings | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0018 | Ensure encryption is enabled for AWS Athena Query | AWS | Data Protection | MEDIUM |
AC_AWS_0019 | Ensure there is no policy with Empty array Action | AWS | Identity and Access Management | LOW |
AC_AWS_0025 | Ensure there is no policy with invalid principal format for Amazon Elastic Container Registry (Amazon ECR) | AWS | Identity and Access Management | LOW |
AC_AWS_0026 | Ensure there is no IAM policy with invalid region used for resource ARN | AWS | Identity and Access Management | LOW |
AC_AWS_0027 | Ensure there is no IAM policy with invalid partition used for resource ARN | AWS | Identity and Access Management | LOW |
AC_AWS_0031 | Ensure only lower case letters are in use for resource in AWS IAM Policy | AWS | Security Best Practices | LOW |
AC_AWS_0037 | Ensure logging for global services is enabled for AWS CloudTrail | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0057 | Ensure CA certificate used is not older than 1 year for Amazon Relational Database Service (Amazon RDS) instances | AWS | Data Protection | HIGH |
AC_AWS_0070 | Ensure auto minor version upgrade is enabled for AWS Database Migration Service (DMS) instances | AWS | Security Best Practices | MEDIUM |
AC_AWS_0095 | Ensure potential PASSWORD information is not disclosed in container definition for AWS ECS service | AWS | Data Protection | HIGH |
AC_AWS_0097 | Ensure VPC is enabled for AWS Redshift Cluster | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0098 | Ensure Customer Managed Keys (CMK) are used for encryption of AWS Elastic File System (EFS) | AWS | Data Protection | HIGH |
AC_AWS_0109 | Ensure latest version of elasticsearch engine is used for AWS ElasticSearch Domains | AWS | Compliance Validation | MEDIUM |
AC_AWS_0112 | Ensure encryption at-rest is enabled for AWS ElasticSearch Domains | AWS | Data Protection | HIGH |
AC_AWS_0114 | Ensure node-to-node encryption is enabled for AWS ElasticSearch Domains | AWS | Data Protection | MEDIUM |
AC_AWS_0121 | Ensure cross zone load balancing is enabled for AWS ELB | AWS | Resilience | MEDIUM |
AC_AWS_0123 | Ensure access logging is enabled for AWS ELB | AWS | Logging and Monitoring | MEDIUM |
AC_AWS_0130 | Ensure 'Job Bookmark Encryption' is enabled for AWS Glue Crawlers | AWS | Data Protection | MEDIUM |
AC_AWS_0141 | Ensure password policy requires minimal length of 7 for AWS IAM Account Password Policy | AWS | Compliance Validation | MEDIUM |
AC_AWS_0160 | Ensure rotation for customer created CMKs is enabled | AWS | Data Protection | HIGH |
AC_AWS_0164 | Ensure VPC access is enabled for AWS Lambda Functions | AWS | Infrastructure Security | MEDIUM |
AC_AWS_0168 | Ensure there are no hard coded keys used in base64 encoded value of AWS Launch Configuration | AWS | Data Protection | HIGH |
AC_AWS_0178 | Ensure customer owned KMS key is used for encrypting AWS MQ Brokers | AWS | Data Protection | HIGH |
AC_AWS_0184 | Ensure deletion protection is enabled for AWS QLDB Ledger | AWS | Resilience | MEDIUM |
AC_AWS_0197 | Ensure KMS customer managed key (CMK) for encryption of AWS Redshift clusters | AWS | Security Best Practices | HIGH |