-
Notifications
You must be signed in to change notification settings - Fork 100
/
full_checks.txt
565 lines (561 loc) · 68.4 KB
/
full_checks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v4.5.0
|_| the handy multi-cloud security tool
Date: 2024-11-05 13:45:29
[accessanalyzer_enabled] Check if IAM Access Analyzer is enabled - accessanalyzer [low]
[accessanalyzer_enabled_without_findings] Check if IAM Access Analyzer is enabled without findings - accessanalyzer [low]
[account_maintain_current_contact_details] Maintain current contact details. - account [medium]
[account_maintain_different_contact_details_to_security_billing_and_operations] Maintain different contact details to security, billing and operations. - account [medium]
[account_security_contact_information_is_registered] Ensure security contact information is registered. - account [medium]
[account_security_questions_are_registered_in_the_aws_account] Ensure security questions are registered in the AWS account. - account [medium]
[acm_certificates_expiration_check] Check if ACM Certificates are about to expire in specific days or less - acm [high]
[acm_certificates_transparency_logs_enabled] Check if ACM certificates have Certificate Transparency logging enabled - acm [medium]
[acm_certificates_with_secure_key_algorithms] Check if ACM Certificates use a secure key algorithm - acm [high]
[apigateway_restapi_authorizers_enabled] Check if API Gateway has configured authorizers at api or method level. - apigateway [medium]
[apigateway_restapi_cache_encrypted] Check if API Gateway REST API cache data is encrypted at rest. - apigateway [medium]
[apigateway_restapi_client_certificate_enabled] Check if API Gateway Stage has client certificate enabled to access your backend endpoint. - apigateway [medium]
[apigateway_restapi_logging_enabled] Check if API Gateway Stage has logging enabled. - apigateway [medium]
[apigateway_restapi_public] Check if API Gateway endpoint is public or private. - apigateway [medium]
[apigateway_restapi_public_with_authorizer] Check if API Gateway public endpoint has an authorizer configured. - apigateway [medium]
[apigateway_restapi_tracing_enabled] Check if AWS X-Ray tracing is enabled for API Gateway REST API stages. - apigateway [low]
[apigateway_restapi_waf_acl_attached] Check if API Gateway Stage has a WAF ACL attached. - apigateway [medium]
[apigatewayv2_api_access_logging_enabled] Ensure API Gateway V2 has Access Logging enabled. - apigateway [medium]
[apigatewayv2_api_authorizers_enabled] Checks if API Gateway V2 has configured authorizers. - apigateway [medium]
[appstream_fleet_default_internet_access_disabled] Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked. - appstream [medium]
[appstream_fleet_maximum_session_duration] Ensure user maximum session duration is no longer than 10 hours. - appstream [medium]
[appstream_fleet_session_disconnect_timeout] Ensure session disconnect timeout is set to 5 minutes or less. - appstream [medium]
[appstream_fleet_session_idle_disconnect_timeout] Ensure session idle disconnect timeout is set to 10 minutes or less. - appstream [medium]
[athena_workgroup_encryption] Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption. - athena [medium]
[athena_workgroup_enforce_configuration] Ensure that workgroup configuration is enforced so it cannot be overriden by client-side settings. - athena [medium]
[athena_workgroup_logging_enabled] Ensure that logging is enabled for Amazon Athena workgroups to capture query activity. - athena [medium]
[autoscaling_find_secrets_ec2_launch_configuration] [DEPRECATED] Find secrets in EC2 Auto Scaling Launch Configuration - autoscaling [critical]
[autoscaling_group_capacity_rebalance_enabled] Check if Amazon EC2 Auto Scaling groups have capacity rebalance enabled. - autoscaling [medium]
[autoscaling_group_elb_health_check_enabled] Check if Auto Scaling groups associated with a load balancer use ELB health checks. - autoscaling [low]
[autoscaling_group_launch_configuration_no_public_ip] Check if Amazon EC2 instances launched using Auto Scaling group launch configurations have Public IP addresses. - autoscaling [high]
[autoscaling_group_launch_configuration_requires_imdsv2] Check if Auto Scaling group launch configurations require Instance Metadata Service Version 2 (IMDSv2). - autoscaling [high]
[autoscaling_group_multiple_az] EC2 Auto Scaling Group should use multiple Availability Zones - autoscaling [medium]
[autoscaling_group_multiple_instance_types] EC2 Auto Scaling Group should use multiple instance types in multiple Availability Zones. - autoscaling [medium]
[autoscaling_group_using_ec2_launch_template] Check if Amazon EC2 Auto Scaling groups use EC2 launch templates. - autoscaling [medium]
[awslambda_function_inside_vpc] Ensure AWS Lambda Functions Are Deployed Inside a VPC - lambda [low]
[awslambda_function_invoke_api_operations_cloudtrail_logging_enabled] Check if Lambda functions invoke API operations are being recorded by CloudTrail. - lambda [low]
[awslambda_function_no_secrets_in_code] Find secrets in Lambda functions code. - lambda [critical]
[awslambda_function_no_secrets_in_variables] Find secrets in Lambda functions variables. - lambda [critical]
[awslambda_function_not_publicly_accessible] Check if Lambda functions have resource-based policy set as Public. - lambda [critical]
[awslambda_function_url_cors_policy] Check Lambda Function URL CORS configuration. - lambda [medium]
[awslambda_function_url_public] Check Public Lambda Function URL. - lambda [high]
[awslambda_function_using_supported_runtimes] Find obsolete Lambda runtimes. - lambda [medium]
[awslambda_function_vpc_multi_az] Check if AWS Lambda Function VPC is deployed Across Multiple Availability Zones - lambda [medium]
[backup_plans_exist] Ensure that there is at least one AWS Backup plan - backup [low]
[backup_recovery_point_encrypted] Check if AWS Backup recovery points are encrypted at rest. - backup [medium]
[backup_reportplans_exist] Ensure that there is at least one AWS Backup report plan - backup [low]
[backup_vaults_encrypted] Ensure that AWS Backup vaults are encrypted with AWS KMS - backup [medium]
[backup_vaults_exist] Ensure AWS Backup vaults exist - backup [low]
[bedrock_agent_guardrail_enabled] Ensure that Guardrails are enabled for Amazon Bedrock agent sessions. - bedrock [high]
[bedrock_guardrail_prompt_attack_filter_enabled] Configure Prompt Attack Filter with the highest strength for Amazon Bedrock Guardrails. - bedrock [high]
[bedrock_guardrail_sensitive_information_filter_enabled] Configure Sensitive Information Filters for Amazon Bedrock Guardrails. - bedrock [high]
[bedrock_model_invocation_logging_enabled] Ensure that model invocation logging is enabled for Amazon Bedrock. - bedrock [medium]
[bedrock_model_invocation_logs_encryption_enabled] Ensure that Amazon Bedrock model invocation logs are encrypted with KMS. - bedrock [high]
[cloudformation_stack_outputs_find_secrets] Find secrets in CloudFormation outputs - cloudformation [critical]
[cloudformation_stacks_termination_protection_enabled] Enable termination protection for Cloudformation Stacks - cloudformation [medium]
[cloudfront_distributions_custom_ssl_certificate] CloudFront distributions should use custom SSL/TLS certificates. - cloudfront [medium]
[cloudfront_distributions_default_root_object] Check if CloudFront distributions have a default root object. - cloudfront [high]
[cloudfront_distributions_field_level_encryption_enabled] Check if CloudFront distributions have Field Level Encryption enabled. - cloudfront [low]
[cloudfront_distributions_geo_restrictions_enabled] Check if Geo restrictions are enabled in CloudFront distributions. - cloudfront [low]
[cloudfront_distributions_https_enabled] Check if CloudFront distributions are set to HTTPS. - cloudfront [medium]
[cloudfront_distributions_https_sni_enabled] Check if CloudFront distributions are using SNI to serve HTTPS requests. - cloudfront [low]
[cloudfront_distributions_logging_enabled] Check if CloudFront distributions have logging enabled. - cloudfront [medium]
[cloudfront_distributions_multiple_origin_failover_configured] Check if CloudFront distributions have origin failover enabled. - cloudfront [low]
[cloudfront_distributions_origin_traffic_encrypted] Check if CloudFront distributions encrypt traffic to custom origins. - cloudfront [medium]
[cloudfront_distributions_s3_origin_access_control] Check if CloudFront distributions with S3 origin use OAC. - cloudfront [medium]
[cloudfront_distributions_s3_origin_non_existent_bucket] CloudFront distributions should not point to non-existent S3 origins without static website hosting. - cloudfront [high]
[cloudfront_distributions_using_deprecated_ssl_protocols] Check if CloudFront distributions are using deprecated SSL protocols. - cloudfront [low]
[cloudfront_distributions_using_waf] Check if CloudFront distributions are using WAF. - cloudfront [medium]
[cloudtrail_bucket_requires_mfa_delete] Ensure the S3 bucket CloudTrail bucket requires MFA delete - cloudtrail [medium]
[cloudtrail_cloudwatch_logging_enabled] Ensure CloudTrail trails are integrated with CloudWatch Logs - cloudtrail [low]
[cloudtrail_insights_exist] Ensure CloudTrail Insight is enabled - cloudtrail [low]
[cloudtrail_kms_encryption_enabled] Ensure CloudTrail logs are encrypted at rest using KMS CMKs - cloudtrail [medium]
[cloudtrail_log_file_validation_enabled] Ensure CloudTrail log file validation is enabled - cloudtrail [medium]
[cloudtrail_logs_s3_bucket_access_logging_enabled] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - cloudtrail [medium]
[cloudtrail_logs_s3_bucket_is_not_publicly_accessible] Ensure the S3 bucket CloudTrail logs is not publicly accessible - cloudtrail [critical]
[cloudtrail_multi_region_enabled] Ensure CloudTrail is enabled in all regions - cloudtrail [high]
[cloudtrail_multi_region_enabled_logging_management_events] Ensure CloudTrail logging management events in All Regions - cloudtrail [low]
[cloudtrail_s3_dataevents_read_enabled] Check if S3 buckets have Object-level logging for read events is enabled in CloudTrail. - cloudtrail [low]
[cloudtrail_s3_dataevents_write_enabled] Check if S3 buckets have Object-level logging for write events is enabled in CloudTrail. - cloudtrail [low]
[cloudtrail_threat_detection_enumeration] Ensure there are no potential enumeration threats in CloudTrail - cloudtrail [critical]
[cloudtrail_threat_detection_llm_jacking] Ensure there are no potential LLM Jacking threats in CloudTrail. - cloudtrail [critical]
[cloudtrail_threat_detection_privilege_escalation] Ensure there are no potential privilege escalation threats in CloudTrail - cloudtrail [critical]
[cloudwatch_alarm_actions_alarm_state_configured] Check if CloudWatch alarms have specified actions configured for the ALARM state. - cloudwatch [high]
[cloudwatch_alarm_actions_enabled] Check if CloudWatch alarms have actions enabled - cloudwatch [high]
[cloudwatch_changes_to_network_acls_alarm_configured] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL). - cloudwatch [medium]
[cloudwatch_changes_to_network_gateways_alarm_configured] Ensure a log metric filter and alarm exist for changes to network gateways. - cloudwatch [medium]
[cloudwatch_changes_to_network_route_tables_alarm_configured] Ensure route table changes are monitored - cloudwatch [medium]
[cloudwatch_changes_to_vpcs_alarm_configured] Ensure a log metric filter and alarm exist for VPC changes. - cloudwatch [medium]
[cloudwatch_cross_account_sharing_disabled] Check if CloudWatch has allowed cross-account sharing. - cloudwatch [medium]
[cloudwatch_log_group_kms_encryption_enabled] Check if CloudWatch log groups are protected by AWS KMS. - cloudwatch [medium]
[cloudwatch_log_group_no_critical_pii_in_logs] Check if secrets exists in CloudWatch logs. - cloudwatch [medium]
[cloudwatch_log_group_no_secrets_in_logs] Check if secrets exists in CloudWatch logs. - cloudwatch [medium]
[cloudwatch_log_group_not_publicly_accessible] Ensure that CloudWatch Log Groups are not publicly accessible - cloudwatch [high]
[cloudwatch_log_group_retention_policy_specific_days_enabled] Check if CloudWatch Log Groups have a retention policy of specific days. - cloudwatch [medium]
[cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled] Ensure a log metric filter and alarm exist for AWS Config configuration changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled] Ensure a log metric filter and alarm exist for CloudTrail configuration changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_authentication_failures] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures. - cloudwatch [medium]
[cloudwatch_log_metric_filter_aws_organizations_changes] Ensure a log metric filter and alarm exist for AWS Organizations changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created KMS CMKs. - cloudwatch [medium]
[cloudwatch_log_metric_filter_for_s3_bucket_policy_changes] Ensure a log metric filter and alarm exist for S3 bucket policy changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_policy_changes] Ensure a log metric filter and alarm exist for IAM policy changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_root_usage] Ensure a log metric filter and alarm exist for usage of root account. - cloudwatch [medium]
[cloudwatch_log_metric_filter_security_group_changes] Ensure a log metric filter and alarm exist for security group changes. - cloudwatch [medium]
[cloudwatch_log_metric_filter_sign_in_without_mfa] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA. - cloudwatch [medium]
[cloudwatch_log_metric_filter_unauthorized_api_calls] Ensure a log metric filter and alarm exist for unauthorized API calls. - cloudwatch [medium]
[codeartifact_packages_external_public_publishing_disabled] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [critical]
[codebuild_project_logging_enabled] Ensure that CodeBuild projects have S3 or CloudWatch logging enabled - codebuild [medium]
[codebuild_project_no_secrets_in_variables] Ensure CodeBuild projects do not contain secrets on plaintext environment variables - codebuild [critical]
[codebuild_project_older_90_days] Ensure CodeBuild Project has been invoked in the last 90 days - codebuild [medium]
[codebuild_project_s3_logs_encrypted] Ensure S3 Logs for CodeBuild Projects are encrypted at rest. - codebuild [low]
[codebuild_project_source_repo_url_no_sensitive_credentials] Ensure CodeBuild project source repository URLs do not contain sensitive credentials - codebuild [critical]
[codebuild_project_user_controlled_buildspec] Ensure CodeBuild Project uses a controlled buildspec - codebuild [medium]
[codebuild_report_group_export_encrypted] CodeBuild report group exports are encrypted at rest - codebuild [medium]
[cognito_identity_pool_guest_access_disabled] Ensure Cognito Identity Pool has guest access disabled - cognito [medium]
[cognito_user_pool_advanced_security_enabled] Ensure cognito user pools has advanced security enabled with full-function - cognito [medium]
[cognito_user_pool_blocks_compromised_credentials_sign_in_attempts] Ensure that advanced security features are enabled for Amazon Cognito User Pools to block sign-in by users with suspected compromised credentials - cognito [medium]
[cognito_user_pool_blocks_potential_malicious_sign_in_attempts] Ensure that your Amazon Cognito user pool blocks potential malicious sign-in attempts - cognito [medium]
[cognito_user_pool_client_prevent_user_existence_errors] Amazon Cognito User Pool should prevent user existence errors - cognito [medium]
[cognito_user_pool_client_token_revocation_enabled] Ensure that token revocation is enabled for Amazon Cognito User Pools - cognito [medium]
[cognito_user_pool_deletion_protection_enabled] Ensure cognito user pools deletion protection enabled to prevent accidental deletion - cognito [medium]
[cognito_user_pool_mfa_enabled] Ensure Multi-Factor Authentication (MFA) is enabled for Amazon Cognito User Pools - cognito [medium]
[cognito_user_pool_password_policy_lowercase] Ensure Cognito User Pool has password policy to require at least one lowercase letter - cognito [medium]
[cognito_user_pool_password_policy_minimum_length_14] Ensure that the password policy for your user pools require a minimum length of 14 or greater - cognito [medium]
[cognito_user_pool_password_policy_number] Ensure that the password policy for your user pool requires a number - cognito [medium]
[cognito_user_pool_password_policy_symbol] Ensure that the password policy for your Amazon Cognito user pool requires at least one symbol. - cognito [medium]
[cognito_user_pool_password_policy_uppercase] Ensure that the password policy for your user pool requires at least one uppercase letter - cognito [medium]
[cognito_user_pool_self_registration_disabled] Ensure self registration is disabled for Amazon Cognito User Pools - cognito [medium]
[cognito_user_pool_temporary_password_expiration] Ensure that the user pool has a temporary password expiration period of 7 days or less - cognito [medium]
[cognito_user_pool_waf_acl_attached] Ensure that Amazon Cognito User Pool is associated with a WAF Web ACL - cognito [medium]
[config_recorder_all_regions_enabled] Ensure AWS Config is enabled in all regions. - config [medium]
[config_recorder_using_aws_service_role] Ensure Config Recorder is using service-linked AWS Config role - config [medium]
[datasync_task_logging_enabled] DataSync tasks should have logging enabled - datasync [high]
[directconnect_connection_redundancy] Ensure Direct Connect connections are redundant - directconnect [medium]
[directconnect_virtual_interface_redundancy] Ensure Direct Connect virtual interface(s) are providing redundant connections - directconnect [medium]
[directoryservice_directory_log_forwarding_enabled] Directory Service monitoring with CloudWatch logs. - directoryservice [medium]
[directoryservice_directory_monitor_notifications] Directory Service has SNS Notifications enabled. - directoryservice [medium]
[directoryservice_directory_snapshots_limit] Directory Service Manual Snapshots limit reached. - directoryservice [low]
[directoryservice_ldap_certificate_expiration] Directory Service LDAP Certificates expiration. - directoryservice [medium]
[directoryservice_radius_server_security_protocol] Ensure Radius server in DS is using the recommended security protocol. - directoryservice [medium]
[directoryservice_supported_mfa_radius_enabled] Ensure Multi-Factor Authentication (MFA) using Radius Server is enabled in DS. - directoryservice [medium]
[dlm_ebs_snapshot_lifecycle_policy_exists] Ensure EBS Snapshot lifecycle policies are defined. - dlm [medium]
[dms_endpoint_mongodb_authentication_enabled] Check if DMS endpoints for MongoDB have an authentication mechanism enabled. - dms [medium]
[dms_endpoint_neptune_iam_authorization_enabled] Check if DMS endpoints for Neptune databases have IAM authorization enabled. - dms [medium]
[dms_endpoint_ssl_enabled] Ensure SSL mode is enabled in DMS endpoint - dms [high]
[dms_instance_minor_version_upgrade_enabled] Ensure DMS instances have auto minor version upgrade enabled. - dms [medium]
[dms_instance_multi_az_enabled] Ensure DMS instances have multi az enabled. - dms [medium]
[dms_instance_no_public_access] Ensure DMS instances are not publicly accessible. - dms [critical]
[documentdb_cluster_backup_enabled] Check if DocumentDB Clusters have backup enabled. - DocumentDB [medium]
[documentdb_cluster_cloudwatch_log_export] Check if DocumentDB clusters are using the log export feature. - documentdb [medium]
[documentdb_cluster_deletion_protection] Check if DocumentDB Clusters has deletion protection enabled. - documentdb [medium]
[documentdb_cluster_multi_az_enabled] Ensure DocumentDB Cluster have Multi-AZ enabled. - documentdb [medium]
[documentdb_cluster_public_snapshot] Check if DocumentDB manual cluster snapshot is public. - documentdb [critical]
[documentdb_cluster_storage_encrypted] Check if DocumentDB cluster storage is encrypted. - documentdb [medium]
[drs_job_exist] Ensure DRS is enabled with jobs. - drs [medium]
[dynamodb_accelerator_cluster_encryption_enabled] Check if DynamoDB DAX Clusters are encrypted at rest. - dynamodb [medium]
[dynamodb_accelerator_cluster_in_transit_encryption_enabled] Check if DynamoDB Accelerator (DAX) clusters are encrypted in transit. - dynamodb [medium]
[dynamodb_accelerator_cluster_multi_az] Check if DynamoDB Accelerator (DAX) clusters have nodes in multiple availability zones. - dynamodb [medium]
[dynamodb_table_autoscaling_enabled] Check if DynamoDB tables automatically scale capacity with demand. - dynamodb [medium]
[dynamodb_table_cross_account_access] DynamoDB tables should not be accessible from other AWS accounts - dynamodb [medium]
[dynamodb_table_deletion_protection_enabled] Check if DynamoDB tables have deletion protection enabled. - dynamodb [medium]
[dynamodb_table_protected_by_backup_plan] Check if DynamoDB tables are included in a backup plan. - dynamodb [medium]
[dynamodb_tables_kms_cmk_encryption_enabled] Check if DynamoDB table has encryption at rest enabled using CMK KMS. - dynamodb [medium]
[dynamodb_tables_pitr_enabled] Check if DynamoDB tables point-in-time recovery (PITR) is enabled. - dynamodb [medium]
[ec2_ami_public] Ensure there are no EC2 AMIs set as Public. - ec2 [critical]
[ec2_client_vpn_endpoint_connection_logging_enabled] EC2 Client VPN endpoints should have client connection logging enabled. - ec2 [low]
[ec2_ebs_default_encryption] Check if EBS Default Encryption is activated. - ec2 [medium]
[ec2_ebs_public_snapshot] Ensure there are no EBS Snapshots set as Public. - ec2 [critical]
[ec2_ebs_snapshot_account_block_public_access] Ensure that public access to EBS snapshots is disabled - ec2 [high]
[ec2_ebs_snapshots_encrypted] Check if EBS snapshots are encrypted. - ec2 [medium]
[ec2_ebs_volume_encryption] Ensure there are no EBS Volumes unencrypted. - ec2 [medium]
[ec2_ebs_volume_protected_by_backup_plan] Amazon EBS volumes should be protected by a backup plan. - ec2 [low]
[ec2_ebs_volume_snapshots_exists] Check if EBS snapshots exists. - ec2 [medium]
[ec2_elastic_ip_shodan] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY). - ec2 [high]
[ec2_elastic_ip_unassigned] Check if there is any unassigned Elastic IP. - ec2 [low]
[ec2_instance_account_imdsv2_enabled] Ensure Instance Metadata Service Version 2 (IMDSv2) is enforced for EC2 instances at the account level to protect against SSRF vulnerabilities. - ec2 [medium]
[ec2_instance_detailed_monitoring_enabled] Check if EC2 instances have detailed monitoring enabled. - ec2 [low]
[ec2_instance_imdsv2_enabled] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required. - ec2 [medium]
[ec2_instance_internet_facing_with_instance_profile] Check for internet facing EC2 instances with Instance Profiles attached. - ec2 [medium]
[ec2_instance_managed_by_ssm] Check if EC2 instances are managed by Systems Manager. - ec2 [medium]
[ec2_instance_older_than_specific_days] Check EC2 Instances older than specific days. - ec2 [medium]
[ec2_instance_paravirtual_type] Amazon EC2 paravirtual virtualization type should not be used. - ec2 [medium]
[ec2_instance_port_cassandra_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to Cassandra ports (TCP 7000, 7001, 7199, 9042, 9160). - ec2 [critical]
[ec2_instance_port_cifs_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 139 or 445 (CIFS). - ec2 [critical]
[ec2_instance_port_elasticsearch_kibana_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601). - ec2 [critical]
[ec2_instance_port_ftp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 20 or 21 (FTP) - ec2 [critical]
[ec2_instance_port_kafka_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 9092 (Kafka). - ec2 [critical]
[ec2_instance_port_kerberos_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 88, 464, 749 or 750 (Kerberos). - ec2 [critical]
[ec2_instance_port_ldap_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 389 or 636 (LDAP). - ec2 [critical]
[ec2_instance_port_memcached_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 11211 (Memcached). - ec2 [critical]
[ec2_instance_port_mongodb_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 27017 or 27018 (MongoDB) - ec2 [critical]
[ec2_instance_port_mysql_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 3306 (MySQL). - ec2 [critical]
[ec2_instance_port_oracle_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1521, 2483 or 2484 (Oracle). - ec2 [critical]
[ec2_instance_port_postgresql_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 5432 (PostgreSQL) - ec2 [critical]
[ec2_instance_port_rdp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 3389 (RDP) - ec2 [critical]
[ec2_instance_port_redis_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 6379 (Redis). - ec2 [critical]
[ec2_instance_port_sqlserver_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1433 or 1434 (SQL Server). - ec2 [critical]
[ec2_instance_port_ssh_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 22 (SSH) - ec2 [critical]
[ec2_instance_port_telnet_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 23 (Telnet). - ec2 [critical]
[ec2_instance_profile_attached] Ensure IAM instance roles are used for AWS resource access from instances - ec2 [medium]
[ec2_instance_public_ip] Check for EC2 Instances with Public IP. - ec2 [medium]
[ec2_instance_secrets_user_data] Find secrets in EC2 User Data. - ec2 [critical]
[ec2_instance_uses_single_eni] Amazon EC2 instances should not use multiple ENIs - ec2 [low]
[ec2_launch_template_no_public_ip] Amazon EC2 launch templates should not assign public IPs to network interfaces. - ec2 [high]
[ec2_launch_template_no_secrets] Find secrets in EC2 Launch Template - ec2 [critical]
[ec2_networkacl_allow_ingress_any_port] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to any port. - ec2 [medium]
[ec2_networkacl_allow_ingress_tcp_port_22] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to SSH port 22 - ec2 [medium]
[ec2_networkacl_allow_ingress_tcp_port_3389] Ensure no Network ACLs allow ingress from 0.0.0.0/0 to Microsoft RDP port 3389 - ec2 [medium]
[ec2_networkacl_unused] Unused Network Access Control Lists should be removed. - ec2 [low]
[ec2_securitygroup_allow_ingress_from_internet_to_all_ports] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to all ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_any_port] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to high risk ports. - ec2 [critical]
[ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23. - ec2 [high]
[ec2_securitygroup_allow_wide_open_public_ipv4] Ensure no security groups allow ingress and egress from wide-open IP address with a mask between 0 and 24. - ec2 [high]
[ec2_securitygroup_default_restrict_traffic] Ensure the default security group of every VPC restricts all traffic. - ec2 [high]
[ec2_securitygroup_from_launch_wizard] Security Groups created by EC2 Launch Wizard. - ec2 [medium]
[ec2_securitygroup_not_used] Ensure there are no Security Groups not being used. - ec2 [low]
[ec2_securitygroup_with_many_ingress_egress_rules] Find security groups with more than 50 ingress or egress rules. - ec2 [high]
[ec2_transitgateway_auto_accept_vpc_attachments] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests - ec2 [high]
[ecr_registry_scan_images_on_push_enabled] Check if ECR Registry has scan on push enabled - ecr [medium]
[ecr_repositories_lifecycle_policy_enabled] Check if ECR repositories have lifecycle policies enabled - ecr [low]
[ecr_repositories_not_publicly_accessible] Ensure there are no ECR repositories set as Public - ecr [critical]
[ecr_repositories_scan_images_on_push_enabled] [DEPRECATED] Check if ECR image scan on push is enabled - ecr [medium]
[ecr_repositories_scan_vulnerabilities_in_latest_image] Check if ECR image scan found vulnerabilities in the newest image version - ecr [medium]
[ecr_repositories_tag_immutability] ECR repositories should have tag immutability configured - ecr [medium]
[ecs_cluster_container_insights_enabled] ECS clusters should use Container Insights - ecs [medium]
[ecs_service_fargate_latest_platform_version] ECS Fargate services should run on the latest Fargate platform version - ecs [medium]
[ecs_service_no_assign_public_ip] ECS services should not assign public IPs automatically - ecs [high]
[ecs_task_definitions_containers_readonly_access] ECS containers should be limited to read-only access to root filesystems - ecs [high]
[ecs_task_definitions_host_namespace_not_shared] ECS task definitions should not share the host's process namespace - ecs [high]
[ecs_task_definitions_host_networking_mode_users] Amazon ECS task definitions should have secure networking modes and user definitions - ecs [high]
[ecs_task_definitions_logging_block_mode] ECS task definitions containers should have a logging configured with non blocking mode - ecs [low]
[ecs_task_definitions_logging_enabled] ECS task definitions containers should have a logging configuration - ecs [high]
[ecs_task_definitions_no_environment_secrets] Check if secrets exists in ECS task definitions environment variables - ecs [critical]
[ecs_task_definitions_no_privileged_containers] ECS task definitions shouldn't have privileged containers - ecs [high]
[ecs_task_set_no_assign_public_ip] ECS task sets should not automatically assign public IP addresses - ecs [high]
[efs_access_point_enforce_root_directory] EFS access points should enforce a root directory - efs [medium]
[efs_access_point_enforce_user_identity] EFS access points should enforce a user identity - efs [medium]
[efs_encryption_at_rest_enabled] Check if EFS protects sensitive data with encryption at rest - efs [medium]
[efs_have_backup_enabled] Check if EFS File systems have backup enabled - efs [medium]
[efs_mount_target_not_publicly_accessible] EFS mount targets should not be publicly accessible - efs [medium]
[efs_not_publicly_accessible] Check if EFS have policies which allow access to any client within the VPC - efs [medium]
[eks_cluster_kms_cmk_encryption_in_secrets_enabled] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) - eks [medium]
[eks_cluster_network_policy_enabled] Ensure Network Policy is Enabled and Set as Appropriate - eks [high]
[eks_cluster_not_publicly_accessible] Ensure EKS Clusters are not publicly accessible - eks [high]
[eks_cluster_private_nodes_enabled] Ensure Clusters are created with Private Nodes - eks [high]
[eks_cluster_uses_a_supported_version] Ensure Kubernetes cluster runs on a supported Kubernetes version - eks [high]
[eks_control_plane_logging_all_types_enabled] Ensure EKS Control Plane Logging is enabled for all required log types - eks [medium]
[elasticache_cluster_uses_public_subnet] Ensure Elasticache Cluster is not using a public subnet - elasticache [medium]
[elasticache_redis_cluster_auto_minor_version_upgrades] Ensure Elasticache Redis cache clusters have automatic minor upgrades enabled. - elasticache [high]
[elasticache_redis_cluster_automatic_failover_enabled] Ensure Elasticache Redis clusters have automatic failover enabled. - elasticache [medium]
[elasticache_redis_cluster_backup_enabled] Ensure Elasticache Redis cache cluster has automatic backups enabled. - elasticache [high]
[elasticache_redis_cluster_in_transit_encryption_enabled] Ensure Elasticache Redis cache clusters have in transit encryption enabled. - elasticache [medium]
[elasticache_redis_cluster_multi_az_enabled] Ensure Elasticache Redis cache cluster has Multi-AZ enabled. - elasticache [medium]
[elasticache_redis_cluster_rest_encryption_enabled] Ensure Elasticache Redis cache clusters have at rest encryption enabled. - elasticache [medium]
[elasticache_redis_replication_group_auth_enabled] Ensure Elasticache Elasticache Redis replication groups of earlier versions should have Redis OSS AUTH enabled. - elasticache [medium]
[elasticbeanstalk_environment_cloudwatch_logging_enabled] Elastic Beanstalk environment should stream logs to CloudWatch - elasticbeanstalk [high]
[elasticbeanstalk_environment_enhanced_health_reporting] Elastic Beanstalk environments should have enhanced health reporting enabled - elasticbeanstalk [low]
[elasticbeanstalk_environment_managed_updates_enabled] Elastic Beanstalk managed platform updates should be enabled - elasticbeanstalk [high]
[elb_connection_draining_enabled] Classic Load Balancer Connection Draining Enabled - elb [medium]
[elb_cross_zone_load_balancing_enabled] Ensure Cross-Zone Load Balancing is Enabled for Classic Load Balancers (CLBs) - elb [medium]
[elb_desync_mitigation_mode] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode - elb [medium]
[elb_insecure_ssl_ciphers] Check if Elastic Load Balancers have insecure SSL ciphers. - elb [medium]
[elb_internet_facing] Check for internet facing Elastic Load Balancers. - elb [medium]
[elb_is_in_multiple_az] Ensure Classic Load Balancer is Configured Across Multiple Availability Zones - elb [medium]
[elb_logging_enabled] Check if Elastic Load Balancers have logging enabled. - elb [medium]
[elb_ssl_listeners] Check if Elastic Load Balancers have SSL listeners. - elb [medium]
[elb_ssl_listeners_use_acm_certificate] Check if Classic Load Balancers with SSL/HTTPS listeners use a certificate provided by AWS Certificate Manager (ACM). - elb [medium]
[elbv2_cross_zone_load_balancing_enabled] Ensure Cross-Zone Load Balancing is enabled for Network (NLBs) and Gateway (GWLB) Load Balancers - elbv2 [medium]
[elbv2_deletion_protection] Check if Elastic Load Balancers have deletion protection enabled. - elbv2 [medium]
[elbv2_desync_mitigation_mode] Check whether the Application Load Balancer is configured with strictest desync mitigation mode, if not check if at least is configured with the drop_invalid_header_fields attribute - elbv2 [medium]
[elbv2_insecure_ssl_ciphers] Check if Elastic Load Balancers have insecure SSL ciphers. - elbv2 [medium]
[elbv2_internet_facing] Check for internet facing Elastic Load Balancers. - elbv2 [medium]
[elbv2_is_in_multiple_az] Elastic Load Balancer V2 (ELBv2) is Configured Across Multiple Availability Zones (AZs) - elbv2 [medium]
[elbv2_listeners_underneath] Check if ELBV2 has listeners underneath. - elbv2 [medium]
[elbv2_logging_enabled] Check if Elastic Load Balancers have logging enabled. - elbv2 [medium]
[elbv2_nlb_tls_termination_enabled] Check if Network Load Balancers (NLB) has TLS termination enabled. - elbv2 [medium]
[elbv2_ssl_listeners] Check if Elastic Load Balancers have SSL listeners. - elbv2 [medium]
[elbv2_waf_acl_attached] Check if Application Load Balancer has a WAF ACL attached. - elbv2 [medium]
[emr_cluster_account_public_block_enabled] EMR Account Public Access Block enabled. - emr [high]
[emr_cluster_master_nodes_no_public_ip] EMR Cluster without Public IP. - emr [medium]
[emr_cluster_publicly_accesible] Publicly accessible EMR Cluster. - emr [medium]
[eventbridge_bus_cross_account_access] Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[eventbridge_bus_exposed] Ensure that your AWS EventBridge event bus is not exposed to everyone - eventbridge [high]
[eventbridge_global_endpoint_event_replication_enabled] Check if EventBridge global endpoints have event replication enabled. - eventbridge [medium]
[eventbridge_schema_registry_cross_account_access] Ensure that AWS EventBridge schema registries do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[fms_policy_compliant] Ensure that all FMS policies inside an admin account are compliant - fms [medium]
[fsx_file_system_copy_tags_to_backups_enabled] Check if FSx file systems are configured to copy tags to backups. - fsx [low]
[fsx_file_system_copy_tags_to_volumes_enabled] Check if FSx file systems are configured to copy tags to volumes. - fsx [low]
[fsx_windows_file_system_multi_az_enabled] Check if FSx Windows file systems are configured with Multi-AZ. - fsx [low]
[glacier_vaults_policy_public_access] Check if S3 Glacier vaults have policies which allow access to everyone. - glacier [critical]
[glue_data_catalogs_connection_passwords_encryption_enabled] Check if Glue data catalog settings have encrypt connection password enabled. - glue [medium]
[glue_data_catalogs_metadata_encryption_enabled] Check if Glue data catalog settings have metadata encryption enabled. - glue [medium]
[glue_data_catalogs_not_publicly_accessible] Ensure Glue Data Catalogs are not publicly accessible. - glue [high]
[glue_database_connections_ssl_enabled] Check if Glue database connection has SSL connection enabled. - glue [medium]
[glue_development_endpoints_cloudwatch_logs_encryption_enabled] Check if Glue development endpoints have CloudWatch logs encryption enabled. - glue [medium]
[glue_development_endpoints_job_bookmark_encryption_enabled] Check if Glue development endpoints have Job bookmark encryption enabled. - glue [medium]
[glue_development_endpoints_s3_encryption_enabled] Check if Glue development endpoints have S3 encryption enabled. - glue [medium]
[glue_etl_jobs_amazon_s3_encryption_enabled] Check if Glue ETL Jobs have S3 encryption enabled. - glue [medium]
[glue_etl_jobs_cloudwatch_logs_encryption_enabled] Check if Glue ETL Jobs have CloudWatch Logs encryption enabled. - glue [medium]
[glue_etl_jobs_job_bookmark_encryption_enabled] Check if Glue ETL Jobs have Job bookmark encryption enabled. - glue [medium]
[glue_etl_jobs_logging_enabled] Check if Glue ETL Jobs have logging enabled. - glue [medium]
[glue_ml_transform_encrypted_at_rest] Check if Glue ML Transform Encryption at Rest is Enabled - glue [medium]
[guardduty_centrally_managed] GuardDuty is centrally managed - guardduty [medium]
[guardduty_ec2_malware_protection_enabled] Ensure that GuardDuty Malware Protection for EC2 is enabled. - guardduty [high]
[guardduty_eks_audit_log_enabled] GuardDuty EKS Audit Log Monitoring Enabled - guardduty [high]
[guardduty_eks_runtime_monitoring_enabled] GuardDuty EKS Runtime Monitoring should be enabled - guardduty [medium]
[guardduty_is_enabled] Check if GuardDuty is enabled - guardduty [medium]
[guardduty_lambda_protection_enabled] Check if GuardDuty Lambda Protection is enabled. - guardduty [high]
[guardduty_no_high_severity_findings] There are High severity GuardDuty findings - guardduty [high]
[guardduty_rds_protection_enabled] Check if GuardDuty RDS Protection is enabled. - guardduty [high]
[guardduty_s3_protection_enabled] Check if GuardDuty S3 Protection is enabled. - guardduty [high]
[iam_administrator_access_with_mfa] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled - iam [high]
[iam_avoid_root_usage] Avoid the use of the root accounts - iam [high]
[iam_aws_attached_policy_no_administrative_privileges] Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_check_saml_providers_sts] Check if there are SAML Providers then STS can be used - iam [low]
[iam_customer_attached_policy_no_administrative_privileges] Ensure IAM Customer-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_customer_unattached_policy_no_administrative_privileges] Ensure IAM policies that allow full "*:*" administrative privileges are not created - iam [low]
[iam_group_administrator_access_policy] Ensure No IAM Groups Have Administrator Access Policy - iam [high]
[iam_inline_policy_allows_privilege_escalation] Ensure no IAM Inline policies allow actions that may lead into Privilege Escalation - iam [high]
[iam_inline_policy_no_administrative_privileges] Ensure IAM inline policies that allow full "*:*" administrative privileges are not associated to IAM identities - iam [high]
[iam_inline_policy_no_full_access_to_cloudtrail] Ensure IAM inline policies that allow full "cloudtrail:*" privileges are not created - iam [medium]
[iam_inline_policy_no_full_access_to_kms] Ensure IAM inline policies that allow full "kms:*" privileges are not created - iam [medium]
[iam_no_custom_policy_permissive_role_assumption] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) - iam [high]
[iam_no_expired_server_certificates_stored] Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed. - iam [critical]
[iam_no_root_access_key] Ensure no root account access key exists - iam [critical]
[iam_password_policy_expires_passwords_within_90_days_or_less] Ensure IAM password policy expires passwords within 90 days or less - iam [medium]
[iam_password_policy_lowercase] Ensure IAM password policy require at least one lowercase letter - iam [medium]
[iam_password_policy_minimum_length_14] Ensure IAM password policy requires minimum length of 14 or greater - iam [medium]
[iam_password_policy_number] Ensure IAM password policy require at least one number - iam [medium]
[iam_password_policy_reuse_24] Ensure IAM password policy prevents password reuse: 24 or greater - iam [medium]
[iam_password_policy_symbol] Ensure IAM password policy require at least one symbol - iam [medium]
[iam_password_policy_uppercase] Ensure IAM password policy requires at least one uppercase letter - iam [medium]
[iam_policy_allows_privilege_escalation] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation - iam [high]
[iam_policy_attached_only_to_group_or_roles] Ensure IAM policies are attached only to groups or roles - iam [low]
[iam_policy_cloudshell_admin_not_attached] Check if IAM identities (users,groups,roles) have the AWSCloudShellFullAccess policy attached. - iam [medium]
[iam_policy_no_full_access_to_cloudtrail] Ensure IAM policies that allow full "cloudtrail:*" privileges are not created - iam [medium]
[iam_policy_no_full_access_to_kms] Ensure IAM policies that allow full "kms:*" privileges are not created - iam [medium]
[iam_role_administratoraccess_policy] Ensure IAM Roles do not have AdministratorAccess policy attached - iam [high]
[iam_role_cross_account_readonlyaccess_policy] Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts - iam [high]
[iam_role_cross_service_confused_deputy_prevention] Ensure IAM Service Roles prevents against a cross-service confused deputy attack - iam [high]
[iam_root_hardware_mfa_enabled] Ensure only hardware MFA is enabled for the root account - iam [critical]
[iam_root_mfa_enabled] Ensure MFA is enabled for the root account - iam [critical]
[iam_rotate_access_key_90_days] Ensure access keys are rotated every 90 days or less - iam [medium]
[iam_securityaudit_role_created] Ensure a Security Audit role has been created to conduct security audits - iam [low]
[iam_support_role_created] Ensure a support role has been created to manage incidents with AWS Support - iam [medium]
[iam_user_accesskey_unused] Ensure User Access Keys unused are disabled - iam [medium]
[iam_user_administrator_access_policy] Ensure No IAM Users Have Administrator Access Policy - iam [high]
[iam_user_console_access_unused] Ensure unused user console access are disabled - iam [medium]
[iam_user_hardware_mfa_enabled] Check if IAM users have Hardware MFA enabled. - iam [medium]
[iam_user_mfa_enabled_console_access] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. - iam [high]
[iam_user_no_setup_initial_access_key] Do not setup access keys during initial user setup for all IAM users that have a console password - iam [medium]
[iam_user_two_active_access_key] Check if IAM users have two active access keys - iam [medium]
[iam_user_with_temporary_credentials] Ensure users make use of temporary credentials assuming IAM roles - iam [medium]
[inspector2_active_findings_exist] Check if Inspector2 active findings exist - inspector2 [medium]
[inspector2_is_enabled] Check if Inspector2 is enabled for Amazon EC2 instances, ECR container images and Lambda functions. - inspector2 [medium]
[kafka_cluster_encryption_at_rest_uses_cmk] Ensure Kafka Cluster Encryption at Rest Uses Customer Managed Keys (CMK) - kafka [medium]
[kafka_cluster_enhanced_monitoring_enabled] Ensure Enhanced Monitoring is Enabled for MSK (Kafka) Brokers - kafka [medium]
[kafka_cluster_in_transit_encryption_enabled] Ensure Kafka Cluster Encryption in Transit is Enabled - kafka [medium]
[kafka_cluster_is_public] Kafka Cluster Exposed to the Public - kafka [high]
[kafka_cluster_mutual_tls_authentication_enabled] Ensure Mutual TLS Authentication is Enabled for Kafka Cluster - kafka [medium]
[kafka_cluster_unrestricted_access_disabled] Ensure Kafka Cluster has unrestricted access disabled - kafka [high]
[kafka_cluster_uses_latest_version] MSK cluster should use the latest version. - kafka [medium]
[kafka_connector_in_transit_encryption_enabled] MSK Connect connectors should be encrypted in transit - kafka [medium]
[kinesis_stream_encrypted_at_rest] Kinesis streams should be encrypted at rest. - kinesis [medium]
[kms_cmk_are_used] Check if there are CMK KMS keys not used. - kms [medium]
[kms_cmk_not_deleted_unintentionally] AWS KMS keys should not be deleted unintentionally - kms [critical]
[kms_cmk_rotation_enabled] Ensure rotation for customer created KMS CMKs is enabled. - kms [medium]
[kms_key_not_publicly_accessible] Check exposed KMS keys - kms [medium]
[lightsail_database_public] Check if the database has the public mode. - lightsail [high]
[lightsail_instance_automated_snapshots] Check if instances have automated snapshots enabled - lightsail [medium]
[lightsail_instance_public] Ensure that Lightsail instances are not publicly accessible - lightsail [high]
[lightsail_static_ip_unused] Static IP are allocated but not attached to any instance - lightsail [low]
[macie_automated_sensitive_data_discovery_enabled] Check if Macie automated sensitive data discovery is enabled. - macie [high]
[macie_is_enabled] Check if Amazon Macie is enabled. - macie [low]
[mq_broker_active_deployment_mode] Apache ActiveMQ brokers should be configured in active/standby mode. - mq [low]
[mq_broker_auto_minor_version_upgrades] MQ Broker Auto Minor Version Upgrades should be enabled. - mq [low]
[mq_broker_cluster_deployment_mode] MQ RabbitMQ Brokers should use cluster deployment mode. - mq [low]
[mq_broker_logging_enabled] MQ brokers should stream audit logs to CloudWatch. - mq [medium]
[neptune_cluster_backup_enabled] Check for Neptune Clusters Backup Retention Period. - neptune [medium]
[neptune_cluster_copy_tags_to_snapshots] Check if Neptune DB clusters are configured to copy tags to snapshots. - neptune [low]
[neptune_cluster_deletion_protection] Check if Neptune Clusters storage has deletion protection enabled. - neptune [medium]
[neptune_cluster_iam_authentication_enabled] Check if Neptune Clusters have IAM authentication enabled. - rds [medium]
[neptune_cluster_integration_cloudwatch_logs] Check if Neptune Clusters have audit cloudwatch logs enabled. - neptune [medium]
[neptune_cluster_multi_az] Check if Neptune Clusters have multi-AZ enabled. - neptune [medium]
[neptune_cluster_public_snapshot] Check if NeptuneDB manual cluster snapshot is public. - neptune [critical]
[neptune_cluster_snapshot_encrypted] Check if Neptune DB cluster snapshots are encrypted at rest. - neptune [medium]
[neptune_cluster_storage_encrypted] Check if Neptune Clusters storage is encrypted at rest. - neptune [high]
[neptune_cluster_uses_public_subnet] Ensure Neptune Cluster is not using a public subnet - neptune [medium]
[networkfirewall_deletion_protection] Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls. - network-firewall [medium]
[networkfirewall_in_all_vpc] Ensure all VPCs have Network Firewall enabled - network-firewall [medium]
[networkfirewall_logging_enabled] Ensure Network Firewall Logging is Enabled - network-firewall [medium]
[networkfirewall_multi_az] Ensure all Network Firewall Firewalls are deployed across multiple AZ. - network-firewall [medium]
[networkfirewall_policy_default_action_fragmented_packets] Default action for fragmented packets is set to drop or forward. - network-firewall [medium]
[networkfirewall_policy_default_action_full_packets] NetworkFirewall firewall policy default action for full packets is set to drop or forward. - network-firewall [medium]
[networkfirewall_policy_rule_group_associated] Ensure Network Firewall Policies Have at Least One Rule Group Associated - network-firewall [medium]
[opensearch_service_domains_audit_logging_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have audit logging enabled - opensearch [low]
[opensearch_service_domains_cloudwatch_logging_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have logging enabled - opensearch [medium]
[opensearch_service_domains_encryption_at_rest_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have encryption at-rest enabled - opensearch [medium]
[opensearch_service_domains_fault_tolerant_data_nodes] Ensure Elasticsearch/Opensearch domains have fault-tolerant data nodes. - opensearch [medium]
[opensearch_service_domains_fault_tolerant_master_nodes] OpenSearch Service Domain should have at least three dedicated master nodes - opensearch [medium]
[opensearch_service_domains_https_communications_enforced] Check if Amazon Elasticsearch/Opensearch Service domains have enforce HTTPS enabled - opensearch [medium]
[opensearch_service_domains_internal_user_database_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have internal user database enabled - opensearch [medium]
[opensearch_service_domains_node_to_node_encryption_enabled] Check if Amazon Elasticsearch/Opensearch Service domains have node-to-node encryption enabled - opensearch [medium]
[opensearch_service_domains_not_publicly_accessible] Check if Amazon Opensearch/Elasticsearch domains are publicly accessible - opensearch [critical]
[opensearch_service_domains_updated_to_the_latest_service_software_version] Check if Amazon Elasticsearch/Opensearch Service domains have updates available - opensearch [low]
[opensearch_service_domains_use_cognito_authentication_for_kibana] Check if Amazon Elasticsearch/Opensearch Service domains has either Amazon Cognito or SAML authentication for Kibana enabled - opensearch [high]
[organizations_account_part_of_organizations] Check if account is part of an AWS Organizations - organizations [medium]
[organizations_delegated_administrators] Check if AWS Organizations delegated administrators are trusted - organizations [high]
[organizations_opt_out_ai_services_policy] Ensure that AWS Organizations opt-out of AI services policy is enabled. - organizations [low]
[organizations_scp_check_deny_regions] Check if AWS Regions are restricted with SCP policies - organizations [low]
[organizations_tags_policies_enabled_and_attached] Check if an AWS Organization has tags policies enabled and attached. - organizations [medium]
[rds_cluster_backtrack_enabled] Check if RDS Aurora MySQL Clusters have backtrack enabled. - rds [medium]
[rds_cluster_copy_tags_to_snapshots] Check if RDS DB clusters have copy tags to snapshots enabled - rds [low]
[rds_cluster_critical_event_subscription] Check if RDS Cluster critical events are subscribed. - rds [low]
[rds_cluster_default_admin] Ensure that your Amazon RDS clusters are not using the default master username. - rds [medium]
[rds_cluster_deletion_protection] Check if RDS clusters have deletion protection enabled. - rds [low]
[rds_cluster_iam_authentication_enabled] Check if RDS clusters have IAM authentication enabled. - rds [medium]
[rds_cluster_integration_cloudwatch_logs] Check if RDS cluster is integrated with CloudWatch Logs. - rds [medium]
[rds_cluster_minor_version_upgrade_enabled] Ensure RDS clusters have minor version upgrade enabled. - rds [medium]
[rds_cluster_multi_az] Check if RDS clusters have multi-AZ enabled. - rds [medium]
[rds_cluster_non_default_port] Check if RDS clusters are using non-default ports. - rds [low]
[rds_cluster_protected_by_backup_plan] Check if RDS clusters are protected by a backup plan. - rds [medium]
[rds_cluster_storage_encrypted] Check if RDS clusters storage is encrypted. - rds [medium]
[rds_instance_backup_enabled] Check if RDS instances have backup enabled. - rds [medium]
[rds_instance_certificate_expiration] Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired. - rds [high]
[rds_instance_copy_tags_to_snapshots] Check if RDS DB instances have copy tags to snapshots enabled - rds [low]
[rds_instance_critical_event_subscription] Check if RDS Instances events are subscribed. - rds [low]
[rds_instance_default_admin] Ensure that your Amazon RDS instances are not using the default master username. - rds [medium]
[rds_instance_deletion_protection] Check if RDS instances have deletion protection enabled. - rds [medium]
[rds_instance_deprecated_engine_version] Check if RDS instance is using a supported engine version - rds [medium]
[rds_instance_enhanced_monitoring_enabled] Check if RDS instances has enhanced monitoring enabled. - rds [low]
[rds_instance_event_subscription_parameter_groups] Check if RDS Parameter Group events are subscribed. - rds [low]
[rds_instance_event_subscription_security_groups] Check if RDS Security Group events are subscribed. - rds [medium]
[rds_instance_iam_authentication_enabled] Check if RDS instances have IAM authentication enabled. - rds [medium]
[rds_instance_inside_vpc] Check if RDS instances are deployed within a VPC. - rds [high]
[rds_instance_integration_cloudwatch_logs] Check if RDS instances is integrated with CloudWatch Logs. - rds [medium]
[rds_instance_minor_version_upgrade_enabled] Ensure RDS instances have minor version upgrade enabled. - rds [low]
[rds_instance_multi_az] Check if RDS instances have multi-AZ enabled. - rds [medium]
[rds_instance_no_public_access] Ensure there are no Public Accessible RDS instances. - rds [critical]
[rds_instance_non_default_port] Check if RDS instances are using non-default ports. - rds [low]
[rds_instance_protected_by_backup_plan] Check if RDS instances are protected by a backup plan. - rds [medium]
[rds_instance_storage_encrypted] Check if RDS instances storage is encrypted. - rds [medium]
[rds_instance_transport_encrypted] Check if RDS instances enforce SSL/TLS encryption for client connections (Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL). - rds [high]
[rds_snapshots_encrypted] Check if RDS Snapshots and Cluster Snapshots are encrypted. - rds [medium]
[rds_snapshots_public_access] Check if RDS Snapshots and Cluster Snapshots are public. - rds [critical]
[redshift_cluster_audit_logging] Check if Redshift cluster has audit logging enabled - redshift [medium]
[redshift_cluster_automated_snapshot] Check if Redshift Clusters have automated snapshots enabled - redshift [medium]
[redshift_cluster_automatic_upgrades] Check for Redshift Automatic Version Upgrade - redshift [high]
[redshift_cluster_encrypted_at_rest] Check if Redshift clusters are encrypted at rest. - redshift [medium]
[redshift_cluster_enhanced_vpc_routing] Check if Redshift clusters are using enhanced VPC routing. - redshift [medium]
[redshift_cluster_in_transit_encryption_enabled] Check if connections to Amazon Redshift clusters are encrypted in transit. - redshift [medium]
[redshift_cluster_multi_az_enabled] Check if Redshift clusters have Multi-AZ enabled. - redshift [medium]
[redshift_cluster_non_default_database_name] Check if Redshift clusters are using the default database name. - redshift [medium]
[redshift_cluster_non_default_username] Check if Amazon Redshift clusters are using the default Admin username. - redshift [medium]
[redshift_cluster_public_access] Check for Publicly Accessible Redshift Clusters - redshift [high]
[resourceexplorer2_indexes_found] Resource Explorer Indexes Found - resourceexplorer2 [low]
[route53_dangling_ip_subdomain_takeover] Check if Route53 Records contains dangling IPs. - route53 [high]
[route53_domains_privacy_protection_enabled] Enable Privacy Protection for for a Route53 Domain. - route53 [medium]
[route53_domains_transferlock_enabled] Enable Transfer Lock for a Route53 Domain. - route53 [medium]
[route53_public_hosted_zones_cloudwatch_logging_enabled] Check if Route53 public hosted zones are logging queries to CloudWatch Logs. - route53 [medium]
[s3_access_point_public_access_block] Block Public Access Settings enabled on Access Points. - s3 [critical]
[s3_account_level_public_access_blocks] Check S3 Account Level Public Access Block. - s3 [high]
[s3_bucket_acl_prohibited] Check if S3 buckets have ACLs enabled - s3 [medium]
[s3_bucket_cross_account_access] Ensure that general-purpose bucket policies restrict access to other AWS accounts. - s3 [high]
[s3_bucket_cross_region_replication] Check if S3 buckets use cross region replication. - s3 [low]
[s3_bucket_default_encryption] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it. - s3 [medium]
[s3_bucket_event_notifications_enabled] Check if S3 buckets have event notifications enabled. - s3 [medium]
[s3_bucket_kms_encryption] Check if S3 buckets have KMS encryption enabled. - s3 [medium]
[s3_bucket_level_public_access_block] Check S3 Bucket Level Public Access Block. - s3 [medium]
[s3_bucket_lifecycle_enabled] Check if S3 buckets have a Lifecycle configuration enabled - s3 [low]
[s3_bucket_no_mfa_delete] Check if S3 bucket MFA Delete is not enabled. - s3 [medium]
[s3_bucket_object_lock] Check if S3 buckets have object lock enabled - s3 [low]
[s3_bucket_object_versioning] Check if S3 buckets have object versioning enabled - s3 [medium]
[s3_bucket_policy_public_write_access] Check if S3 buckets have policies which allow WRITE access. - s3 [critical]
[s3_bucket_public_access] Ensure there are no S3 buckets open to Everyone or Any AWS user. - s3 [critical]
[s3_bucket_public_list_acl] Ensure there are no S3 buckets listable by Everyone or Any AWS customer. - s3 [critical]
[s3_bucket_public_write_acl] Ensure there are no S3 buckets writable by Everyone or Any AWS customer. - s3 [critical]
[s3_bucket_secure_transport_policy] Check if S3 buckets have secure transport policy. - s3 [medium]
[s3_bucket_server_access_logging_enabled] Check if S3 buckets have server access logging enabled - s3 [medium]
[s3_multi_region_access_point_public_access_block] Block Public Access Settings enabled on Multi Region Access Points. - s3 [high]
[sagemaker_endpoint_config_prod_variant_instances] SageMaker endpoint production variants should have at least two initial instances - sagemaker [medium]
[sagemaker_models_network_isolation_enabled] Check if Amazon SageMaker Models have network isolation enabled - sagemaker [medium]
[sagemaker_models_vpc_settings_configured] Check if Amazon SageMaker Models have VPC settings configured - sagemaker [medium]
[sagemaker_notebook_instance_encryption_enabled] Check if Amazon SageMaker Notebook instances have data encryption enabled - sagemaker [medium]
[sagemaker_notebook_instance_root_access_disabled] Check if Amazon SageMaker Notebook instances have root access disabled - sagemaker [medium]
[sagemaker_notebook_instance_vpc_settings_configured] Check if Amazon SageMaker Notebook instances have VPC settings configured - sagemaker [medium]
[sagemaker_notebook_instance_without_direct_internet_access_configured] Check if Amazon SageMaker Notebook instances have direct internet access - sagemaker [medium]
[sagemaker_training_jobs_intercontainer_encryption_enabled] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled - sagemaker [medium]
[sagemaker_training_jobs_network_isolation_enabled] Check if Amazon SageMaker Training jobs have network isolation enabled - sagemaker [medium]
[sagemaker_training_jobs_volume_and_output_encryption_enabled] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled - sagemaker [medium]
[sagemaker_training_jobs_vpc_settings_configured] Check if Amazon SageMaker Training job have VPC settings configured. - sagemaker [medium]
[secretsmanager_automatic_rotation_enabled] Check if Secrets Manager secret rotation is enabled. - secretsmanager [medium]
[secretsmanager_not_publicly_accessible] Ensure Secrets Manager secrets are not publicly accessible. - secretsmanager [high]
[secretsmanager_secret_rotated_periodically] Secrets should be rotated periodically - secretsmanager [medium]
[secretsmanager_secret_unused] Ensure secrets manager secrets are not unused - secretsmanager [medium]
[securityhub_enabled] Check if Security Hub is enabled and its standard subscriptions. - securityhub [medium]
[ses_identity_not_publicly_accessible] Ensure that SES identities are not publicly accessible - ses [high]
[shield_advanced_protection_in_associated_elastic_ips] Check if Elastic IP addresses with associations are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_classic_load_balancers] Check if Classic Load Balancers are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_cloudfront_distributions] Check if Cloudfront distributions are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_global_accelerators] Check if Global Accelerators are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_internet_facing_load_balancers] Check if internet-facing Application Load Balancers are protected by AWS Shield Advanced. - shield [medium]
[shield_advanced_protection_in_route53_hosted_zones] Check if Route53 hosted zones are protected by AWS Shield Advanced. - shield [medium]
[sns_subscription_not_using_http_endpoints] Ensure there are no SNS subscriptions using HTTP endpoints - sns [high]
[sns_topics_kms_encryption_at_rest_enabled] Ensure there are no SNS Topics unencrypted - sns [high]
[sns_topics_not_publicly_accessible] Check if SNS topics have policy set as Public - sns [high]
[sqs_queues_not_publicly_accessible] Check if SQS queues have policy set as Public - sqs [critical]
[sqs_queues_server_side_encryption_enabled] Check if SQS queues have Server Side Encryption enabled - sqs [medium]
[ssm_document_secrets] Find secrets in SSM Documents. - ssm [critical]
[ssm_documents_set_as_public] Check if there are SSM Documents set as public. - ssm [high]
[ssm_managed_compliant_patching] Check if EC2 instances managed by Systems Manager are compliant with patching requirements. - ssm [high]
[ssmincidents_enabled_with_plans] Ensure SSM Incidents is enabled with response plans. - ssm [low]
[storagegateway_fileshare_encryption_enabled] Check if AWS StorageGateway File Shares are encrypted with KMS CMK. - storagegateway [low]
[transfer_server_in_transit_encryption_enabled] Transfer Family Servers should have encryption in transit enabled. - transfer [medium]
[trustedadvisor_errors_and_warnings] Check Trusted Advisor for errors and warnings. - trustedadvisor [medium]
[trustedadvisor_premium_support_plan_subscribed] Check if a Premium support plan is subscribed - support [low]
[vpc_different_regions] Ensure there are VPCs in more than one region - vpc [medium]
[vpc_endpoint_connections_trust_boundaries] Find trust boundaries in VPC endpoint connections. - vpc [medium]
[vpc_endpoint_for_ec2_enabled] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service. - ec2 [medium]
[vpc_endpoint_multi_az_enabled] Amazon VPC Interface Endpoints should have ENIs in more than one subnet. - vpc [medium]
[vpc_endpoint_services_allowed_principals_trust_boundaries] Find trust boundaries in VPC endpoint services allowlisted principles. - vpc [medium]
[vpc_flow_logs_enabled] Ensure VPC Flow Logging is Enabled in all VPCs. - vpc [medium]
[vpc_peering_routing_tables_with_least_privilege] Ensure routing tables for VPC peering are least access. - vpc [medium]
[vpc_subnet_different_az] Ensure all VPC has subnets in more than one availability zone - vpc [medium]
[vpc_subnet_no_public_ip_by_default] Ensure VPC subnets do not assign public IP by default - vpc [medium]
[vpc_subnet_separate_private_public] Ensure all VPC has public and private subnets defined - vpc [medium]
[vpc_vpn_connection_tunnels_up] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up - vpc [medium]
[waf_global_rule_with_conditions] AWS WAF Classic Global Rules Should Have at Least One Condition. - waf [medium]
[waf_global_rulegroup_not_empty] Check if AWS WAF Classic Global rule group has at least one rule. - waf [medium]
[waf_global_webacl_logging_enabled] Check if AWS WAF Classic Global WebACL has logging enabled. - waf [medium]
[waf_global_webacl_with_rules] Check if AWS WAF Classic Global WebACL has at least one rule or rule group. - waf [medium]
[waf_regional_rule_with_conditions] AWS WAF Classic Regional Rules Should Have at Least One Condition. - waf [medium]
[waf_regional_rulegroup_not_empty] Check if AWS WAF Classic Regional rule group has at least one rule. - waf [medium]
[waf_regional_webacl_with_rules] Check if AWS WAF Classic Regional WebACL has at least one rule or rule group. - waf [medium]
[wafv2_webacl_logging_enabled] Check if AWS WAFv2 WebACL logging is enabled - wafv2 [medium]
[wafv2_webacl_rule_logging_enabled] Check if AWS WAFv2 WebACL rule or rule group has Amazon CloudWatch metrics enabled. - wafv2 [medium]
[wafv2_webacl_with_rules] Check if AWS WAFv2 WebACL has at least one rule or rule group. - wafv2 [medium]
[wellarchitected_workload_no_high_or_medium_risks] Check for medium and high risks identified in workloads defined in the AWS Well-Architected Tool. - wellarchitected [medium]
[workspaces_volume_encryption_enabled] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements - workspaces [high]
[workspaces_vpc_2private_1public_subnets_nat] Ensure that the Workspaces VPC are deployed following the best practices using 1 public subnet and 2 private subnets with a NAT Gateway attached - workspaces [medium]
There are 553 available checks.