Cloud Risk Database

AWS Kinesis Stream must have encryption enabled via AWS KMS Customer Managed Key (CMK)

secrets-manager-003

Secrets Manager Unrestricted Access

secrets-manager-002

Secrets Manager Automatic Rotation Disabled

secrets-manager-001

AWS SageMaker Notebook must be configured within a VPC

sagemaker-notebook-003

S3 Bucket is not Encrypted with a KMS Key

s3-030

S3 Bucket Policy not enforcing encryption in transit by only allowing actions over SSL/TLS

s3-033

S3 Bucket Static Website Hosting Enabled

s3-032

S3 Bucket Versioning is not Enabled

s3-029

S3 RestrictPublicBuckets is not Enabled

s3-027

S3 Bucket BlockPublicPolicy is not Enabled

s3-025

S3 Bucket BlockPublicAcls is not Enabled

s3-024

S3 Bucket Policy ACL FULL_CONTROL Permission Granted to All Public Users

s3-022

S3 Bucket ACL FULL_CONTROL Permission Granted to All Authenticated Users

s3-021

S3 Bucket ACL WRITE Permission Granted to All Authenticated Users

s3-020

S3 Bucket ACL READ Permission Granted to All Authenticated Users

s3-019

S3 Bucket ACL WRITE_ACP Permission Granted to All Authenticated Users

s3-018

S3 Bucket ACL READ_ACP Permission Granted to All Authenticated Users

s3-017

S3 Bucket ACL FULL_CONTROL Permission Granted to All Authenticated Users

s3-016

S3 Bucket ACL WRITE Permission Granted to All

s3-015

S3 Bucket ACL WRITE_ACP Permission Granted to All

s3-014

S3 Bucket ACL READ Permission Granted to All

s3-013

S3 Bucket ACL READ_ACP Permission Granted to All

s3-012

S3 Bucket not Encrypted

s3-004

S3 Bucket Policy Restricts by IP Address

s3-002

Route53 Automatic Renewal Disabled

route53-005

Route53 Zone Query Logging Disabled

route53-001

Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL.

rest-stage-005

API Gateway X-Ray Disabled

rest-stage-004

API Gateway SSL Disabled

rest-stage-003

API Gateway Execution Logging Disabled

rest-stage-002

API Gateway Cache Not Encrypted

rest-stage-001

AWS API Gateway Method Request must have API Key requirement enabled

rest-resource-001

AWS API Gateway Rest API Endpoint types must be set to private, not exposed to the public internet

rest-api-001

AWS Redshift Cluster must not have an Elastic IP attachment

redshift-006

Redshift Cluster Audit Logging Not Enabled

redshift-005

Redshift Cluster Does not Require SSL

redshift-003

Redshift Snapshot Retention is Less Than 30 Days

redshift-001

AWS RDS Instance must have automatic backup enabled

rds-21

AWS RDS Instance must be on a supported engine version

rds-020

AWS RDS Cluster must be on a supported engine version

rds-018

AWS RDS Cluster must have automatic backup enabled

rds-017

Checks if an Amazon Aurora MySQL cluster has backtracking enabled. This rule is NON_COMPLIANT if the Aurora cluster uses MySQL and it does not have backtracking enabled.

rds-016

RDS Cluster Multi-AZ is Disabled

rds-015

RDS Instance Multi-AZ Support is Disabled

rds-014

RDS Logging is Disabled

rds-013

RDS Instance IAM Authentication Disabled

rds-012

Cloud Risk Database

AWS Default VPC must be removed

VPC with Cross Account Connections

AWS Transit Gateway must disable default route table associations

AWS Transit Gateway must disable default route table propagations

AWS Transit Gateway must have auto-accept shared attachments disabled

AWS Transfer Server must use FIPS-compliant, restrictive Security Policy

AWS Transfer Server must not have public endpoint

SQS Queue not Encrypted

AWS SNS Topic must not be publicly accessible

SNS Delivery Status Logging Not Configured

SNS Topic not Encrypted

AWS EC2 Instance running CentOS Linux must be on a supported version

AWS EC2 Instance running Windows Server must be on a supported version

AWS EC2 Instance running Amazon Linux must be on a supported version

AWS Default Security Group must restrict all traffic

AWS Security Group must be associated with a VPC

AWS Security Group must not allow unrestricted outbound access

Security Group RDP (4333) Port Open to Public

ElastiCache Replication Group Publicly Available for Any Source

Default Security Groups have Unrestricted Access

Security Groups Not in Use

Security Group RDP (3389) Port Open to Public

Security Group PostgreSQL (5432) Port Open to Public

Security Group MySQL (3306) Port Open to Public

Security Group Memcached (11211) UDP Port Open to Public

Security Group Kibana (5601) Port Open to Public

Security Group FTP (20) Port Open to Public

Security Group Redshift (5439) Port Open to Public

Security Group Oracle (1521) Port Open to Public

Security Group MongoDB (27017) Port Open to Public

Security Group FTP (21) Port Open to Public

EC2 Instance Telnet (23) Port Open to Public

EC2 Instance TCP (8080) Port Open to Public

EC2 Instance SQL (1433) Port Open to Public

EC2 Instance PostgreSQL (5432) Port Open to Public

EC2 Instance Oracle (1521) Port Open to Public

EC2 Instance MySQL (3306) Port Open to Public

EC2 Instance FTP (21) Port Open to Public

Security Group has Any Protocol Open

EC2 Instance Elasticsearch (9200/9300) Ports Open to Public

Security Group SQL (1433) Port Open to Public

EC2 Instance Redshift (5439) Port Open to Public

EC2 Instance MongoDB (27017) Port Open to Public

Security Group Elasticsearch (9300) Port Open to Public

Security Group Telnet (23) Port Open to Public

Security Group TCP (8080) Port Open to Public

Security Group SSH (22) Port Open to Public

Security Group Elasticsearch (9200) Port Open to Public

EC2 Instance SSH (22) Port Open to Public

EC2 Instance RDP (3389) Port Open to Public

EC2 Instance Memcache UDP (11211) Port Open to Public

EC2 Instance Kibana (5601) Port Open to Public

EC2 Instance FTP (20) Port Open to Public

Security Groups with Host IP Addresses Defined

AWS Kinesis Stream must have encryption enabled via AWS KMS Customer Managed Key (CMK)

Secrets Manager Unrestricted Access

Secrets Manager Automatic Rotation Disabled

AWS SageMaker Notebook must be configured within a VPC

S3 Bucket is not Encrypted with a KMS Key

S3 Bucket Policy not enforcing encryption in transit by only allowing actions over SSL/TLS

S3 Bucket Static Website Hosting Enabled

S3 Bucket Versioning is not Enabled

S3 RestrictPublicBuckets is not Enabled

S3 Bucket BlockPublicPolicy is not Enabled

S3 Bucket BlockPublicAcls is not Enabled

S3 Bucket Policy ACL FULL_CONTROL Permission Granted to All Public Users

S3 Bucket ACL FULL_CONTROL Permission Granted to All Authenticated Users

S3 Bucket ACL WRITE Permission Granted to All Authenticated Users

S3 Bucket ACL READ Permission Granted to All Authenticated Users

S3 Bucket ACL WRITE_ACP Permission Granted to All Authenticated Users

S3 Bucket ACL READ_ACP Permission Granted to All Authenticated Users

S3 Bucket ACL FULL_CONTROL Permission Granted to All Authenticated Users

S3 Bucket ACL WRITE Permission Granted to All

S3 Bucket ACL WRITE_ACP Permission Granted to All

S3 Bucket ACL READ Permission Granted to All

S3 Bucket ACL READ_ACP Permission Granted to All

S3 Bucket not Encrypted

S3 Bucket Policy Restricts by IP Address

Route53 Automatic Renewal Disabled