pmh_only/bpsets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ab74b2fcfa3089a08994e7c8e77f77de21603a76
bpsets/bpset_metadata.json

3150 lines
118 KiB
JSON
Raw Normal View History

feat: add metadata json
2024-12-24 10:36:06 +09:00
[
{
"name": "ALBHttpDropInvalidHeaderEnabled",
"description": "Ensures that the ALB is configured to drop invalid HTTP headers.",
"priority": 1,
"priorityReason": "Invalid headers can introduce security vulnerabilities.",
feat: add basic frontend
2024-12-24 15:25:16 +09:00
"awsService": "Elastic Load Balancing",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"awsServiceCategory": "Application Load Balancer",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeLoadBalancerAttributes",
"reason": "Retrieve ALB attributes to check for the invalid header configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyLoadBalancerAttributes",
"reason": "Enable the drop invalid headers feature for the ALB."
}
],
"adviseBeforeFixFunction": "Ensure that enabling this attribute does not break any custom client behavior."
},
{
"name": "APIGatewayV2AccessLogsEnabled",
"description": "Ensures that access logs are enabled for API Gateway V2 HTTP APIs.",
"priority": 2,
"priorityReason": "Access logs help in monitoring and debugging API traffic issues.",
"awsService": "APIGateway",
"awsServiceCategory": "HTTP API",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "logGroupArn",
"description": "The ARN of the CloudWatch Log Group to store access logs.",
"default": "",
"example": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/http-api/logs:*"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetStagesCommand",
"reason": "Retrieve stage information for HTTP APIs to check for access log configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateStageCommand",
"reason": "Enable access logs and configure the CloudWatch Log Group for the stage."
}
],
"adviseBeforeFixFunction": "Ensure the specified CloudWatch Log Group exists and has proper permissions."
},
{
"name": "APIGatewayV2AuthorizationTypeConfigured",
"description": "Verifies that all routes in API Gateway V2 HTTP APIs have authorization configured.",
"priority": 1,
"priorityReason": "Authorization protects APIs from unauthorized access.",
"awsService": "APIGateway",
"awsServiceCategory": "HTTP API",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "authorizationType",
"description": "The type of authorization to apply to the API route.",
"default": "AWS_IAM",
"example": "JWT"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetRoutesCommand",
"reason": "Retrieve route information to check for authorization configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateRouteCommand",
"reason": "Update route configuration to include the specified authorization type."
}
],
"adviseBeforeFixFunction": "Ensure that the chosen authorization method is correctly set up and configured."
},
{
"name": "APIGatewayAssociatedWithWAF",
"description": "Ensures that the API Gateway stages are associated with a WAF WebACL.",
"priority": 1,
"priorityReason": "WAF provides protection against common web exploits.",
"awsService": "APIGateway",
"awsServiceCategory": "REST API",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "webAclArn",
"description": "The ARN of the WAF WebACL to associate with the API Gateway stage.",
"default": "",
"example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetStageCommand",
"reason": "Retrieve stage information to check if it is associated with a WAF WebACL."
}
],
"commandUsedInFixFunction": [
{
"name": "AssociateWebACLCommand",
"reason": "Associate the specified WAF WebACL with the API Gateway stage."
}
],
"adviseBeforeFixFunction": "Ensure the WAF WebACL is properly configured before associating it with the API Gateway stage."
},
{
"name": "APIGatewayExecutionLoggingEnabled",
"description": "Ensures that execution logging is enabled for API Gateway stages.",
"priority": 2,
"priorityReason": "Execution logs help in debugging and monitoring API requests.",
"awsService": "APIGateway",
"awsServiceCategory": "REST API",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetStageCommand",
"reason": "Retrieve stage information to check execution logging configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateStageCommand",
"reason": "Enable execution logging for the API Gateway stage."
}
],
"adviseBeforeFixFunction": "Ensure CloudWatch Logs are set up correctly to receive execution logs."
},
{
"name": "AutoScalingGroupELBHealthCheckRequired",
"description": "Ensures that Auto Scaling Groups with load balancers or target groups use ELB health checks.",
"priority": 1,
"priorityReason": "ELB health checks ensure that unhealthy instances are replaced automatically.",
"awsService": "AutoScaling",
"awsServiceCategory": "Auto Scaling Group",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeAutoScalingGroupsCommand",
"reason": "Retrieve Auto Scaling Group configurations to check health check settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateAutoScalingGroupCommand",
"reason": "Update the health check type of the Auto Scaling Group to ELB."
}
],
"adviseBeforeFixFunction": "Ensure that the ELB or target group is correctly configured to provide health checks."
},
{
"name": "AutoScalingMultipleAZ",
"description": "Ensures that Auto Scaling Groups are configured to run in multiple Availability Zones.",
"priority": 2,
"priorityReason": "Multiple AZs improve availability and fault tolerance of the application.",
"awsService": "AutoScaling",
"awsServiceCategory": "Auto Scaling Group",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [
{
"name": "availabilityZones",
"description": "List of Availability Zones to add to the Auto Scaling Group.",
"default": "",
"example": "['us-east-1a', 'us-east-1b']"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeAutoScalingGroupsCommand",
"reason": "Retrieve Auto Scaling Group configurations to check the number of Availability Zones."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateAutoScalingGroupCommand",
"reason": "Add multiple Availability Zones to the Auto Scaling Group."
}
],
"adviseBeforeFixFunction": "Ensure that the additional Availability Zones have the necessary capacity and resources."
},
{
"name": "AutoScalingLaunchTemplate",
"description": "Ensures that Auto Scaling Groups use launch templates instead of launch configurations.",
"priority": 3,
"priorityReason": "Launch templates provide better flexibility and are recommended over launch configurations.",
"awsService": "AutoScaling",
"awsServiceCategory": "Auto Scaling Group",
"bestPracticeCategory": "Configuration",
"requiredParametersForFix": [
{
"name": "launchTemplateId",
"description": "The ID of the launch template to associate with the Auto Scaling Group.",
"default": "",
"example": "lt-0123456789abcdef0"
},
{
"name": "launchTemplateVersion",
"description": "The version of the launch template to use.",
"default": "$Latest",
"example": "$Latest"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeAutoScalingGroupsCommand",
"reason": "Retrieve Auto Scaling Group configurations to check for launch configuration usage."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateAutoScalingGroupCommand",
"reason": "Switch the Auto Scaling Group to use a launch template."
}
],
"adviseBeforeFixFunction": "Ensure the launch template is properly configured before associating it with the Auto Scaling Group."
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
},
{
feat: add metadata json
2024-12-24 10:36:06 +09:00
"name": "CloudFrontAccessLogsEnabled",
"description": "Ensures that access logging is enabled for CloudFront distributions.",
"priority": 2,
"priorityReason": "Access logs help monitor and analyze distribution traffic.",
"awsService": "CloudFront",
"awsServiceCategory": "Content Delivery Network",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "s3BucketName",
"description": "The name of the S3 bucket to store access logs.",
"default": "",
"example": "my-cloudfront-logs-bucket"
},
{
"name": "s3BucketPrefix",
"description": "The prefix for the access logs in the S3 bucket.",
"default": "",
"example": "CloudFront/logs/"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetDistributionCommand",
"reason": "Retrieve the configuration of CloudFront distributions to check logging status."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateDistributionCommand",
"reason": "Enable access logging and configure the S3 bucket for the CloudFront distribution."
}
],
"adviseBeforeFixFunction": "Ensure the S3 bucket exists and has the necessary permissions to receive access logs."
},
{
"name": "CloudFrontAssociatedWithWAF",
"description": "Ensures that CloudFront distributions are associated with a WAF WebACL.",
"priority": 1,
"priorityReason": "WAF protects the distribution from known vulnerabilities and attacks.",
"awsService": "CloudFront",
"awsServiceCategory": "Content Delivery Network",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "webAclArn",
"description": "The ARN of the WAF WebACL to associate with the CloudFront distribution.",
"default": "",
"example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetDistributionCommand",
"reason": "Retrieve the configuration of CloudFront distributions to check for WAF WebACL association."
}
],
"commandUsedInFixFunction": [
{
"name": "AssociateWebACLCommand",
"reason": "Associate a WAF WebACL with the CloudFront distribution."
}
],
"adviseBeforeFixFunction": "Ensure the WAF WebACL is properly configured before associating it."
},
{
"name": "CloudFrontDefaultRootObjectConfigured",
"description": "Ensures that a default root object is configured for CloudFront distributions.",
"priority": 3,
"priorityReason": "A default root object improves user experience by serving content for root domain requests.",
"awsService": "CloudFront",
"awsServiceCategory": "Content Delivery Network",
"bestPracticeCategory": "Configuration",
"requiredParametersForFix": [
{
"name": "defaultRootObject",
"description": "The default root object to configure for the CloudFront distribution.",
"default": "index.html",
"example": "index.html"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetDistributionCommand",
"reason": "Retrieve the configuration of CloudFront distributions to check for a default root object."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateDistributionCommand",
"reason": "Set a default root object for the CloudFront distribution."
}
],
"adviseBeforeFixFunction": "Ensure the specified root object exists in the origin bucket or server."
},
{
"name": "CloudFrontNoDeprecatedSSLProtocols",
"description": "Ensures that deprecated SSL protocols like SSLv3 are not enabled for CloudFront distributions.",
"priority": 1,
"priorityReason": "Deprecated SSL protocols pose security risks and should be disabled.",
"awsService": "CloudFront",
"awsServiceCategory": "Content Delivery Network",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetDistributionCommand",
"reason": "Retrieve the configuration of CloudFront distributions to check SSL protocols."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateDistributionCommand",
"reason": "Update the SSL protocol settings to disable deprecated protocols."
}
],
"adviseBeforeFixFunction": "Ensure the change aligns with your application's SSL requirements."
},
{
"name": "CloudFrontViewerPolicyHTTPS",
"description": "Ensures that viewer protocol policies enforce HTTPS for all CloudFront distributions.",
"priority": 1,
"priorityReason": "Enforcing HTTPS ensures secure communication between the client and the distribution.",
"awsService": "CloudFront",
"awsServiceCategory": "Content Delivery Network",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetDistributionCommand",
"reason": "Retrieve the configuration of CloudFront distributions to check viewer protocol policies."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateDistributionCommand",
"reason": "Update viewer protocol policies to enforce HTTPS for all behaviors."
}
],
"adviseBeforeFixFunction": "Ensure all origins are configured to accept HTTPS traffic."
},
{
"name": "CloudWatchAlarmSettingsCheck",
"description": "Ensures that CloudWatch alarms are configured with the required settings.",
"priority": 3,
"priorityReason": "Properly configured alarms ensure timely monitoring and response to system events.",
"awsService": "CloudWatch",
"awsServiceCategory": "Alarms",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "alarmParameters",
"description": "The required parameters to configure the alarm properly.",
"default": "{}",
"example": "{\"MetricName\": \"CPUUtilization\", \"Threshold\": 80, \"ComparisonOperator\": \"GreaterThanOrEqualToThreshold\"}"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeAlarmsCommand",
"reason": "Retrieve CloudWatch alarm configurations to check for required parameters."
}
],
"commandUsedInFixFunction": [
{
"name": "PutMetricAlarmCommand",
"reason": "Update the alarm settings to match the required configuration."
}
],
"adviseBeforeFixFunction": "Ensure the specified metric and parameters align with the monitoring objectives."
},
{
"name": "CodeBuildProjectEnvironmentPrivilegedCheck",
"description": "Ensures that CodeBuild projects do not have privileged mode enabled in their environment.",
"priority": 1,
"priorityReason": "Privileged mode can pose a security risk by allowing unrestricted access to resources.",
"awsService": "CodeBuild",
"awsServiceCategory": "Build Projects",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "BatchGetProjectsCommand",
"reason": "Retrieve CodeBuild project configurations to check for privileged mode."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateProjectCommand",
"reason": "Disable privileged mode for the CodeBuild project."
}
],
"adviseBeforeFixFunction": "Ensure that privileged mode is not required for specific build operations."
},
{
"name": "CodeBuildProjectLoggingEnabled",
"description": "Ensures that CodeBuild projects have logging enabled to CloudWatch or S3.",
"priority": 2,
"priorityReason": "Logs help monitor and debug the build process.",
"awsService": "CodeBuild",
"awsServiceCategory": "Build Projects",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "logGroupArn",
"description": "The ARN of the CloudWatch Log Group to store build logs.",
"default": "",
"example": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/logs:*"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "BatchGetProjectsCommand",
"reason": "Retrieve CodeBuild project configurations to check for logging settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateProjectCommand",
"reason": "Enable logging for the CodeBuild project."
}
],
"adviseBeforeFixFunction": "Ensure the specified CloudWatch Log Group exists and has necessary permissions."
},
{
"name": "CodeDeployAutoRollbackMonitorEnabled",
"description": "Ensures that CodeDeploy deployment groups have monitoring alarms and auto-rollback enabled.",
"priority": 1,
"priorityReason": "Monitoring alarms and auto-rollback reduce the risk of failed deployments impacting production.",
"awsService": "CodeDeploy",
"awsServiceCategory": "Deployment Groups",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [
{
"name": "alarmConfiguration",
"description": "Configuration for CloudWatch alarms to monitor during deployments.",
"default": "{}",
"example": "{\"enabled\": true, \"alarms\": [{\"name\": \"HighErrorRate\"}]}"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListDeploymentGroupsCommand",
"reason": "Retrieve deployment groups to check for alarm and rollback configuration."
},
{
"name": "BatchGetDeploymentGroupsCommand",
"reason": "Fetch detailed configuration of the deployment groups."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateDeploymentGroupCommand",
"reason": "Enable monitoring alarms and auto-rollback for the deployment group."
}
],
"adviseBeforeFixFunction": "Ensure the monitoring alarms are set up and configured properly."
},
{
"name": "DynamoDBAutoscalingEnabled",
"description": "Ensures that DynamoDB tables have autoscaling enabled for read and write capacity.",
"priority": 1,
"priorityReason": "Autoscaling ensures the table can handle varying workloads without manual intervention.",
"awsService": "DynamoDB",
"awsServiceCategory": "NoSQL Database",
"bestPracticeCategory": "Performance",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTableCommand",
"reason": "Retrieve table information to check billing mode and autoscaling policies."
},
{
"name": "DescribeScalingPoliciesCommand",
"reason": "Check for existing autoscaling policies for the table."
}
],
"commandUsedInFixFunction": [
{
"name": "PutScalingPolicyCommand",
"reason": "Create or update autoscaling policies for the table."
}
],
"adviseBeforeFixFunction": "Ensure the workload patterns are well understood to configure autoscaling appropriately."
},
{
"name": "DynamoDBLastBackupRecoveryPointCreated",
"description": "Ensures that DynamoDB tables have a recent backup or recovery point created within the last 24 hours.",
"priority": 1,
"priorityReason": "Frequent backups ensure data recovery in case of accidental deletion or corruption.",
"awsService": "DynamoDB",
"awsServiceCategory": "NoSQL Database",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListBackupsCommand",
"reason": "Retrieve the list of backups for the table to check for recent recovery points."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateBackupCommand",
"reason": "Create a new backup for the DynamoDB table."
}
],
"adviseBeforeFixFunction": "Ensure that backup policies are aligned with organizational data retention requirements."
},
{
"name": "DynamoDBPITREnabled",
"description": "Ensures that Point-In-Time Recovery (PITR) is enabled for DynamoDB tables.",
"priority": 2,
"priorityReason": "PITR allows recovery to any point in the last 35 days, enhancing resilience against accidental data loss.",
"awsService": "DynamoDB",
"awsServiceCategory": "NoSQL Database",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeContinuousBackupsCommand",
"reason": "Retrieve table information to check if PITR is enabled."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateContinuousBackupsCommand",
"reason": "Enable Point-In-Time Recovery for the table."
}
],
"adviseBeforeFixFunction": "Ensure PITR is enabled only on tables requiring this feature to manage costs."
},
{
"name": "DynamoDBTableDeletionProtectionEnabled",
"description": "Ensures that deletion protection is enabled for DynamoDB tables.",
"priority": 1,
"priorityReason": "Deletion protection prevents accidental deletion of critical tables.",
"awsService": "DynamoDB",
"awsServiceCategory": "NoSQL Database",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTableCommand",
"reason": "Retrieve table information to check deletion protection settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateTableCommand",
"reason": "Enable deletion protection for the table."
}
],
"adviseBeforeFixFunction": "Ensure deletion protection aligns with the operational requirements of the application."
},
{
"name": "DynamoDBTableEncryptedKMS",
"description": "Ensures that DynamoDB tables are encrypted using KMS keys.",
"priority": 1,
"priorityReason": "KMS encryption protects sensitive data stored in DynamoDB tables.",
"awsService": "DynamoDB",
"awsServiceCategory": "NoSQL Database",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "kmsKeyId",
"description": "The ID of the KMS key to use for encrypting the table.",
"default": "",
"example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTableCommand",
"reason": "Retrieve table information to check encryption settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateTableCommand",
"reason": "Enable encryption using the specified KMS key."
}
],
"adviseBeforeFixFunction": "Ensure the specified KMS key is accessible and properly configured."
},
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
{
"name": "EC2InstanceProfileAttached",
"description": "Ensures that all EC2 instances have an IAM instance profile attached.",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"priority": 2,
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"priorityReason": "IAM instance profiles enable secure access to AWS services from EC2 instances.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"bestPracticeCategory": "Security",
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"requiredParametersForFix": [
{
"name": "instanceProfileName",
"description": "The name of the IAM instance profile to attach.",
"default": "",
"example": "EC2InstanceProfile"
}
],
feat: add metadata json
2024-12-24 10:36:06 +09:00
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "DescribeInstancesCommand",
"reason": "Check if IAM instance profiles are attached to EC2 instances."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
"commandUsedInFixFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "AssociateIamInstanceProfileCommand",
"reason": "Attach an IAM instance profile to the EC2 instance."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"adviseBeforeFixFunction": "Ensure the IAM instance profile has the required policies attached."
feat: add metadata json
2024-12-24 10:36:06 +09:00
},
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "EC2StoppedInstance",
"description": "Ensures that unused stopped EC2 instances are terminated.",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"priority": 1,
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"priorityReason": "Terminating stopped instances reduces costs and frees up resources.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Cost Management",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeInstancesCommand",
"reason": "Identify stopped EC2 instances."
}
],
"commandUsedInFixFunction": [
{
"name": "TerminateInstancesCommand",
"reason": "Terminate unused stopped EC2 instances."
}
],
"adviseBeforeFixFunction": "Ensure that the stopped instances are no longer needed before terminating them."
},
{
"name": "ECRPrivateImageScanningEnabled",
"description": "Ensures that image scanning on push is enabled for ECR repositories.",
"priority": 1,
"priorityReason": "Enabling image scanning on push helps identify vulnerabilities in container images.",
"awsService": "ECR",
"awsServiceCategory": "Container Registry",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "DescribeRepositoriesCommand",
"reason": "Retrieve repository configurations to check if image scanning on push is enabled."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
"commandUsedInFixFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "PutImageScanningConfigurationCommand",
"reason": "Enable image scanning on push for the repository."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"adviseBeforeFixFunction": "Ensure the repository content complies with scanning requirements."
},
{
"name": "ECRPrivateLifecyclePolicyConfigured",
"description": "Ensures that lifecycle policies are configured for ECR repositories.",
"priority": 2,
"priorityReason": "Lifecycle policies help manage repository storage by automatically removing unneeded images.",
"awsService": "ECR",
"awsServiceCategory": "Container Registry",
"bestPracticeCategory": "Cost Management",
"requiredParametersForFix": [
{
"name": "lifecyclePolicyText",
"description": "The JSON-formatted lifecycle policy text.",
"default": "",
"example": "{\"rules\": [{\"rulePriority\": 1, \"description\": \"Keep only recent images\", \"selection\": {\"tagStatus\": \"untagged\", \"countType\": \"imageCountMoreThan\", \"countNumber\": 10, \"tagPrefixList\": []}, \"action\": {\"type\": \"expire\"}}]}"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetLifecyclePolicyCommand",
"reason": "Check if a lifecycle policy is configured for the repository."
}
],
"commandUsedInFixFunction": [
{
"name": "PutLifecyclePolicyCommand",
"reason": "Configure a lifecycle policy for the repository."
}
],
"adviseBeforeFixFunction": "Ensure the lifecycle policy aligns with retention requirements."
},
{
"name": "ECRPrivateTagImmutabilityEnabled",
"description": "Ensures that tag immutability is enabled for ECR repositories.",
"priority": 2,
"priorityReason": "Tag immutability prevents overwriting tags, ensuring image stability and integrity.",
"awsService": "ECR",
"awsServiceCategory": "Container Registry",
"bestPracticeCategory": "Configuration",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeRepositoriesCommand",
"reason": "Retrieve repository configurations to check if tag immutability is enabled."
}
],
"commandUsedInFixFunction": [
{
"name": "PutImageTagMutabilityCommand",
"reason": "Enable tag immutability for the repository."
}
],
"adviseBeforeFixFunction": "Ensure that enabling tag immutability does not disrupt existing workflows."
feat: add metadata json
2024-12-24 10:36:06 +09:00
},
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "ECSContainersNonPrivileged",
"description": "Ensures that ECS containers do not run in privileged mode.",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"priority": 1,
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"priorityReason": "Privileged mode can give containers elevated access to the host system, posing a security risk.",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"awsService": "ECS",
"awsServiceCategory": "Task Definitions",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTaskDefinitionCommand",
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"reason": "Retrieve task definition details to check container privilege settings."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
"commandUsedInFixFunction": [
{
"name": "RegisterTaskDefinitionCommand",
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"reason": "Update the task definition to disable privileged mode."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"adviseBeforeFixFunction": "Ensure the containers do not require privileged mode for their operations."
feat: add metadata json
2024-12-24 10:36:06 +09:00
},
{
"name": "ECSContainerInsightsEnabled",
"description": "Ensures that ECS clusters have Container Insights enabled.",
"priority": 2,
"priorityReason": "Container Insights provides detailed monitoring metrics and logs for ECS clusters and services.",
"awsService": "ECS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeClustersCommand",
"reason": "Retrieve ECS cluster configurations to check for Container Insights settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateClusterSettingsCommand",
"reason": "Enable Container Insights for the ECS cluster."
}
],
"adviseBeforeFixFunction": "Ensure CloudWatch is configured to receive metrics and logs from Container Insights."
},
{
"name": "ECSTaskDefinitionLogConfiguration",
"description": "Ensures that ECS task definitions include a log configuration.",
"priority": 1,
"priorityReason": "Log configuration ensures that container logs are sent to a centralized logging service such as CloudWatch.",
"awsService": "ECS",
"awsServiceCategory": "Task Definitions",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "logDriver",
"description": "The log driver to use for the task definition.",
"default": "awslogs",
"example": "awslogs"
},
{
"name": "logOptions",
"description": "The options for the log driver, such as log group name and region.",
"default": "{}",
"example": "{\"awslogs-group\": \"/ecs/example\", \"awslogs-region\": \"us-east-1\"}"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTaskDefinitionCommand",
"reason": "Retrieve task definition details to check for log configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "RegisterTaskDefinitionCommand",
"reason": "Update the task definition to include a log configuration."
}
],
"adviseBeforeFixFunction": "Ensure the log group exists and is configured to receive logs."
},
{
"name": "ECSTaskDefinitionMemoryHardLimit",
"description": "Ensures that ECS containers specify a memory hard limit in the task definition.",
"priority": 1,
"priorityReason": "Specifying a memory hard limit prevents containers from consuming excessive memory, protecting other processes.",
"awsService": "ECS",
"awsServiceCategory": "Task Definitions",
"bestPracticeCategory": "Performance",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTaskDefinitionCommand",
"reason": "Retrieve task definition details to check memory limit settings."
}
],
"commandUsedInFixFunction": [
{
"name": "RegisterTaskDefinitionCommand",
"reason": "Update the task definition to specify a memory hard limit."
}
],
"adviseBeforeFixFunction": "Ensure containers are tested with the specified memory limits."
},
{
"name": "ECSTaskDefinitionNonRootUser",
"description": "Ensures that ECS containers run as a non-root user.",
"priority": 1,
"priorityReason": "Running containers as a non-root user reduces the risk of privilege escalation attacks.",
"awsService": "ECS",
"awsServiceCategory": "Task Definitions",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "user",
"description": "The user to run the container as.",
"default": "",
"example": "appuser"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTaskDefinitionCommand",
"reason": "Retrieve task definition details to check the container user settings."
}
],
"commandUsedInFixFunction": [
{
"name": "RegisterTaskDefinitionCommand",
"reason": "Update the task definition to run the container as a non-root user."
}
],
"adviseBeforeFixFunction": "Ensure the application can run with non-root permissions."
},
{
"name": "EFSAccessPointEnforceRootDirectory",
"description": "Ensures that EFS access points enforce a non-root directory for enhanced security.",
"priority": 2,
"priorityReason": "Restricting access to specific directories reduces the risk of data exposure.",
"awsService": "EFS",
"awsServiceCategory": "Access Points",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "path",
"description": "The path to enforce as the root directory for the access point.",
"default": "/data",
"example": "/data"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeAccessPointsCommand",
"reason": "Retrieve information about EFS access points to check their root directory configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateAccessPointCommand",
"reason": "Reconfigure the access point to enforce a specific root directory."
}
],
"adviseBeforeFixFunction": "Ensure that the directory path is properly configured and exists in the file system."
},
{
"name": "EFSAccessPointEnforceUserIdentity",
"description": "Ensures that EFS access points enforce a user identity for operations.",
"priority": 2,
"priorityReason": "Enforcing a user identity ensures accountability and proper access control.",
"awsService": "EFS",
"awsServiceCategory": "Access Points",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "posixUser",
"description": "The POSIX user configuration to enforce on the access point.",
"default": "{}",
"example": "{\"Uid\": 1001, \"Gid\": 1001, \"SecondaryGids\": [1002]}"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeAccessPointsCommand",
"reason": "Retrieve access point details to check POSIX user settings."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateAccessPointCommand",
"reason": "Reconfigure the access point to enforce a user identity."
}
],
"adviseBeforeFixFunction": "Ensure the specified POSIX user is valid and properly configured in the file system."
},
{
"name": "EFSAutomaticBackupsEnabled",
"description": "Ensures that automatic backups are enabled for EFS file systems.",
"priority": 1,
"priorityReason": "Automatic backups ensure data recovery in case of accidental deletion or corruption.",
"awsService": "EFS",
"awsServiceCategory": "File Systems",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeBackupPolicyCommand",
"reason": "Check the backup policy for EFS file systems."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBackupPolicyCommand",
"reason": "Enable automatic backups for the file system."
}
],
"adviseBeforeFixFunction": "Verify backup retention policies align with organizational requirements."
},
{
"name": "EFSEncryptedCheck",
"description": "Ensures that EFS file systems are encrypted at rest.",
"priority": 1,
"priorityReason": "Encryption at rest protects sensitive data stored in EFS file systems.",
"awsService": "EFS",
"awsServiceCategory": "File Systems",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeFileSystemsCommand",
"reason": "Check if the file systems are encrypted."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateFileSystemCommand",
"reason": "Recreate the file system with encryption enabled."
}
],
"adviseBeforeFixFunction": "Ensure data migration is planned before recreating the file system with encryption."
},
{
"name": "EFSMountTargetPublicAccessible",
"description": "Ensures that EFS mount targets are not publicly accessible.",
"priority": 1,
"priorityReason": "Restricting public access prevents unauthorized access to file systems.",
"awsService": "EFS",
"awsServiceCategory": "Mount Targets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeMountTargetsCommand",
"reason": "Retrieve information about mount targets to check public accessibility."
},
{
"name": "DescribeRouteTablesCommand",
"reason": "Check if mount targets are associated with routes exposing them publicly."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyMountTargetSecurityGroupsCommand",
"reason": "Restrict access to the mount target by updating security groups."
}
],
"adviseBeforeFixFunction": "Ensure the security group rules align with organizational access policies."
},
{
"name": "EKSClusterLoggingEnabled",
"description": "Ensures that EKS clusters have all logging types enabled.",
"priority": 2,
"priorityReason": "Enabling cluster logging ensures better monitoring, troubleshooting, and compliance.",
"awsService": "EKS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeClusterCommand",
"reason": "Retrieve cluster details to check logging configurations."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateClusterConfigCommand",
"reason": "Enable all available logging types for the EKS cluster."
}
],
"adviseBeforeFixFunction": "Ensure enabling logging will not impact current cluster performance or cost significantly."
},
{
"name": "EKSClusterSecretsEncrypted",
"description": "Ensures that EKS clusters use KMS encryption for secrets.",
"priority": 1,
"priorityReason": "Encrypting secrets enhances security and meets compliance requirements.",
"awsService": "EKS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "kmsKeyArn",
"description": "The ARN of the KMS key to use for secrets encryption.",
"default": "",
"example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeClusterCommand",
"reason": "Check if the cluster has encryption enabled for secrets."
}
],
"commandUsedInFixFunction": [
{
"name": "AssociateEncryptionConfigCommand",
"reason": "Add encryption configuration to the EKS cluster."
}
],
"adviseBeforeFixFunction": "Ensure the specified KMS key is available and properly configured for the cluster."
},
{
"name": "EKSEndpointNoPublicAccess",
"description": "Ensures that EKS cluster endpoints are not publicly accessible.",
"priority": 1,
"priorityReason": "Restricting public access prevents unauthorized access to the cluster.",
"awsService": "EKS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeClusterCommand",
"reason": "Retrieve cluster endpoint configuration to check public access settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateClusterConfigCommand",
"reason": "Disable public access for the cluster endpoint."
}
],
"adviseBeforeFixFunction": "Ensure private access is properly configured before disabling public access."
},
{
"name": "ElastiCacheAutoMinorVersionUpgradeCheck",
"description": "Ensures that Auto Minor Version Upgrade is enabled for ElastiCache clusters.",
"priority": 2,
"priorityReason": "Keeping clusters updated with minor versions ensures they receive the latest security patches and bug fixes.",
"awsService": "ElastiCache",
"awsServiceCategory": "Cache Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeCacheClustersCommand",
"reason": "Retrieve cluster configurations to check Auto Minor Version Upgrade settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyCacheClusterCommand",
"reason": "Enable Auto Minor Version Upgrade for the cluster."
}
],
"adviseBeforeFixFunction": "Ensure enabling minor version upgrades aligns with application compatibility."
},
{
"name": "ElastiCacheRedisClusterAutomaticBackupCheck",
"description": "Ensures that automatic backups are enabled for ElastiCache Redis clusters.",
"priority": 1,
"priorityReason": "Automatic backups are crucial for data recovery in case of accidental deletion or corruption.",
"awsService": "ElastiCache",
"awsServiceCategory": "Redis",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [
{
"name": "snapshotRetentionLimit",
"description": "The number of days to retain backups.",
"default": "7",
"example": "7"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeReplicationGroupsCommand",
"reason": "Check if automatic backups are enabled for replication groups."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyReplicationGroupCommand",
"reason": "Enable automatic backups for the Redis replication group."
}
],
"adviseBeforeFixFunction": "Verify the snapshot retention policy aligns with organizational recovery requirements."
},
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "ElastiCacheSubnetGroupCheck",
"description": "Ensures that ElastiCache clusters are not using the default subnet group.",
"priority": 2,
"priorityReason": "Using a custom subnet group ensures better control over network configurations.",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"awsService": "ElastiCache",
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Configuration",
"requiredParametersForFix": [
{
"name": "subnetGroupName",
"description": "The name of the custom subnet group to use.",
"default": "",
"example": "custom-subnet-group"
}
],
feat: add metadata json
2024-12-24 10:36:06 +09:00
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "DescribeCacheClustersCommand",
"reason": "Retrieve cluster configurations to check subnet group settings."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
"commandUsedInFixFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "ModifyCacheClusterCommand",
"reason": "Update the cluster to use a custom subnet group."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"adviseBeforeFixFunction": "Ensure the custom subnet group is properly configured and meets network requirements."
feat: add metadata json
2024-12-24 10:36:06 +09:00
},
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "IAMPolicyNoStatementsWithAdminAccess",
"description": "Ensures that IAM policies do not contain statements granting full administrative access.",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"priority": 1,
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"priorityReason": "Granting full administrative access violates the principle of least privilege and poses a security risk.",
"awsService": "IAM",
"awsServiceCategory": "Policies",
feat: add metadata json
2024-12-24 10:36:06 +09:00
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"isFixFunctionUsesDestructiveCommand": false,
feat: add metadata json
2024-12-24 10:36:06 +09:00
"commandUsedInCheckFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "ListPoliciesCommand",
"reason": "Retrieve the list of local IAM policies."
},
{
"name": "GetPolicyVersionCommand",
"reason": "Retrieve the default version of IAM policies to analyze their statements."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
"commandUsedInFixFunction": [
{
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"name": "CreatePolicyVersionCommand",
"reason": "Create a new policy version with restricted permissions."
},
{
"name": "SetDefaultPolicyVersionCommand",
"reason": "Set the new policy version as the default."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
],
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
"adviseBeforeFixFunction": "Review the policy requirements to ensure removing administrative access will not disrupt operations."
feat: add metadata json
2024-12-24 10:36:06 +09:00
},
{
"name": "IAMPolicyNoStatementsWithFullAccess",
"description": "Ensures that IAM policies do not contain statements granting full access to specific services.",
"priority": 1,
"priorityReason": "Granting full access to specific services can lead to unintentional misuse or privilege escalation.",
"awsService": "IAM",
"awsServiceCategory": "Policies",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListPoliciesCommand",
"reason": "Retrieve the list of local IAM policies."
},
{
"name": "GetPolicyVersionCommand",
"reason": "Retrieve the default version of IAM policies to analyze their statements."
}
],
"commandUsedInFixFunction": [
{
"name": "CreatePolicyVersionCommand",
"reason": "Create a new policy version with restricted permissions."
},
{
"name": "SetDefaultPolicyVersionCommand",
"reason": "Set the new policy version as the default."
}
],
"adviseBeforeFixFunction": "Review the policy requirements to ensure removing full access permissions will not disrupt operations."
},
{
"name": "IAMRoleManagedPolicyCheck",
"description": "Ensures that managed policies are attached to IAM roles, groups, or users.",
"priority": 2,
"priorityReason": "Attaching managed policies ensures consistent permissions and simplifies policy management.",
"awsService": "IAM",
"awsServiceCategory": "Roles",
"bestPracticeCategory": "Configuration",
"requiredParametersForFix": [
{
"name": "roleName",
"description": "The name of the IAM role to attach the managed policy to.",
"default": "",
"example": "MyRole"
},
{
"name": "policyArn",
"description": "The ARN of the managed policy to attach.",
"default": "",
"example": "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListPoliciesCommand",
"reason": "Retrieve the list of managed IAM policies."
},
{
"name": "ListEntitiesForPolicyCommand",
"reason": "Check which entities are attached to each managed policy."
}
],
"commandUsedInFixFunction": [
{
"name": "AttachRolePolicyCommand",
"reason": "Attach a managed policy to an IAM role."
}
],
"adviseBeforeFixFunction": "Ensure the managed policy aligns with the role's intended permissions."
},
{
"name": "LambdaDLQCheck",
"description": "Ensures that AWS Lambda functions have a Dead Letter Queue (DLQ) configured.",
"priority": 2,
"priorityReason": "Configuring a DLQ ensures that failed Lambda invocations are captured for troubleshooting and analysis.",
"awsService": "Lambda",
"awsServiceCategory": "Functions",
"bestPracticeCategory": "Reliability",
"requiredParametersForFix": [
{
"name": "dlqArn",
"description": "The ARN of the Dead Letter Queue to configure.",
"default": "",
"example": "arn:aws:sqs:us-east-1:123456789012:MyDLQ"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListFunctionsCommand",
"reason": "Retrieve the list of Lambda functions to check for DLQ configurations."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateFunctionConfigurationCommand",
"reason": "Configure a Dead Letter Queue for the Lambda function."
}
],
"adviseBeforeFixFunction": "Ensure the DLQ exists and has the appropriate permissions to receive failed messages."
},
{
"name": "LambdaFunctionPublicAccessProhibited",
"description": "Ensures that AWS Lambda functions are not publicly accessible.",
"priority": 1,
"priorityReason": "Publicly accessible Lambda functions can lead to security vulnerabilities and unauthorized usage.",
"awsService": "Lambda",
"awsServiceCategory": "Functions",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetPolicyCommand",
"reason": "Retrieve the Lambda function's resource-based policy to check for public access."
}
],
"commandUsedInFixFunction": [
{
"name": "RemovePermissionCommand",
"reason": "Remove any permissions that grant public access to the Lambda function."
}
],
"adviseBeforeFixFunction": "Verify that removing public access will not disrupt intended functionality."
},
{
"name": "LambdaFunctionSettingsCheck",
"description": "Ensures that AWS Lambda functions do not use default settings for timeout and memory.",
"priority": 2,
"priorityReason": "Customizing timeout and memory settings optimizes function performance and cost.",
"awsService": "Lambda",
"awsServiceCategory": "Functions",
"bestPracticeCategory": "Performance",
"requiredParametersForFix": [
{
"name": "timeout",
"description": "The timeout duration (in seconds) for the Lambda function.",
"default": "15",
"example": "15"
},
{
"name": "memorySize",
"description": "The memory size (in MB) allocated to the Lambda function.",
"default": "256",
"example": "256"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListFunctionsCommand",
"reason": "Retrieve the list of Lambda functions to check their settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateFunctionConfigurationCommand",
"reason": "Update the function's timeout and memory settings."
}
],
"adviseBeforeFixFunction": "Ensure the updated settings align with the function's performance and cost requirements."
},
{
"name": "LambdaInsideVPC",
"description": "Ensures that AWS Lambda functions are configured to run inside a VPC.",
"priority": 1,
"priorityReason": "Running Lambda functions inside a VPC provides additional security and control over network traffic.",
"awsService": "Lambda",
"awsServiceCategory": "Functions",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "subnetIds",
"description": "The subnet IDs for the Lambda function to use.",
"default": "",
"example": "subnet-12345678,subnet-87654321"
},
{
"name": "securityGroupIds",
"description": "The security group IDs for the Lambda function to use.",
"default": "",
"example": "sg-12345678,sg-87654321"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListFunctionsCommand",
"reason": "Retrieve the list of Lambda functions to check their VPC configurations."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateFunctionConfigurationCommand",
"reason": "Configure the function to use a VPC."
}
],
"adviseBeforeFixFunction": "Ensure the specified subnets and security groups are configured correctly and have necessary permissions."
},
{
"name": "AuroraLastBackupRecoveryPointCreated",
"description": "Ensures that Aurora DB clusters have a recent recovery point created.",
"priority": 1,
"priorityReason": "Recent backups ensure data recovery in case of accidental deletion or corruption.",
"awsService": "RDS",
"awsServiceCategory": "Aurora Clusters",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve the list of Aurora DB clusters."
},
{
"name": "DescribeDBClusterSnapshotsCommand",
"reason": "Check the most recent recovery point for each cluster."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateDBClusterSnapshotCommand",
"reason": "Create a new recovery point for the Aurora DB cluster."
}
],
"adviseBeforeFixFunction": "Ensure the DB cluster is in a stable state before creating a snapshot."
},
{
"name": "AuroraMySQLBacktrackingEnabled",
"description": "Ensures that backtracking is enabled for Aurora MySQL clusters.",
"priority": 2,
"priorityReason": "Backtracking allows quick recovery from accidental data modifications.",
"awsService": "RDS",
"awsServiceCategory": "Aurora Clusters",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [
{
"name": "backtrackWindow",
"description": "The backtracking window in seconds.",
"default": "86400",
"example": "86400"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve the list of Aurora MySQL clusters and check their backtracking configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBClusterCommand",
"reason": "Enable backtracking for the Aurora MySQL cluster."
}
],
"adviseBeforeFixFunction": "Ensure enabling backtracking does not disrupt the current cluster configuration."
},
{
"name": "DBInstanceBackupEnabled",
"description": "Ensures that backups are enabled for RDS instances.",
"priority": 1,
"priorityReason": "Enabling backups is critical for disaster recovery and data protection.",
"awsService": "RDS",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [
{
"name": "backupRetentionPeriod",
"description": "The number of days to retain automated backups.",
"default": "7",
"example": "7"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBInstancesCommand",
"reason": "Retrieve the list of RDS instances and check their backup settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBInstanceCommand",
"reason": "Enable automated backups for the RDS instance."
}
],
"adviseBeforeFixFunction": "Ensure the backup retention policy meets organizational recovery requirements."
},
{
"name": "RDSClusterIAMAuthenticationEnabled",
"description": "Ensures that IAM authentication is enabled for RDS clusters.",
"priority": 2,
"priorityReason": "IAM authentication simplifies credential management and enhances security.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve the list of RDS clusters and check their IAM authentication settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBClusterCommand",
"reason": "Enable IAM authentication for the RDS cluster."
}
],
"adviseBeforeFixFunction": "Ensure IAM roles are properly configured to support database authentication."
},
{
"name": "RDSClusterDeletionProtectionEnabled",
"description": "Ensures that deletion protection is enabled for RDS clusters.",
"priority": 1,
"priorityReason": "Deletion protection prevents accidental deletion of critical RDS clusters.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve the list of RDS clusters and check their deletion protection settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBClusterCommand",
"reason": "Enable deletion protection for the RDS cluster."
}
],
"adviseBeforeFixFunction": "Ensure deletion protection aligns with operational requirements and does not block intentional deletions."
},
{
"name": "RDSClusterEncryptedAtRest",
"description": "Ensures that RDS clusters are encrypted at rest.",
"priority": 1,
"priorityReason": "Encryption at rest protects sensitive data stored in RDS clusters.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve the list of RDS clusters and check their encryption settings."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateDBClusterCommand",
"reason": "Recreate the RDS cluster with encryption enabled."
}
],
"adviseBeforeFixFunction": "Ensure data migration is planned before recreating the RDS cluster with encryption."
},
{
"name": "S3BucketVersioningEnabled",
"description": "Ensures that S3 bucket versioning is enabled.",
"priority": 1,
"priorityReason": "Enabling versioning helps protect against accidental overwrites and deletions.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Resilience",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetBucketVersioningCommand",
"reason": "Check if versioning is enabled for the S3 bucket."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBucketVersioningCommand",
"reason": "Enable versioning for the S3 bucket."
}
],
"adviseBeforeFixFunction": "Ensure that enabling versioning aligns with cost and recovery policies."
},
{
"name": "S3BucketSSLRequestsOnly",
"description": "Ensures that S3 buckets require SSL for requests.",
"priority": 1,
"priorityReason": "Requiring SSL ensures secure data transmission to and from the bucket.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetBucketPolicyCommand",
"reason": "Retrieve the bucket policy to check for SSL enforcement."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBucketPolicyCommand",
"reason": "Update or create a bucket policy to enforce SSL requests."
}
],
"adviseBeforeFixFunction": "Review the impact of enforcing SSL on applications accessing the bucket."
},
{
"name": "S3BucketLoggingEnabled",
"description": "Ensures that S3 bucket logging is enabled.",
"priority": 2,
"priorityReason": "Bucket logging helps in auditing and monitoring access patterns.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "targetBucket",
"description": "The target bucket for storing access logs.",
"default": "",
"example": "my-log-bucket"
},
{
"name": "targetPrefix",
"description": "The prefix for log file names.",
"default": "",
"example": "logs/"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetBucketLoggingCommand",
"reason": "Retrieve the bucket logging configuration."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBucketLoggingCommand",
"reason": "Enable logging for the S3 bucket."
}
],
"adviseBeforeFixFunction": "Ensure the target bucket exists and has the necessary permissions for logging."
},
{
"name": "S3BucketDefaultLockEnabled",
"description": "Ensures that S3 Object Lock is enabled by default on buckets.",
"priority": 1,
"priorityReason": "Object Lock protects objects against deletion or modification for a specified period.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "GetObjectLockConfigurationCommand",
"reason": "Check if the S3 bucket has default Object Lock enabled."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateBucketCommand",
"reason": "Recreate the bucket with Object Lock enabled."
}
],
"adviseBeforeFixFunction": "Recreating a bucket deletes its existing data. Ensure proper data migration is planned."
},
{
"name": "SecretsManagerRotationEnabledCheck",
"description": "Ensures that secret rotation is enabled for AWS Secrets Manager secrets.",
"priority": 1,
"priorityReason": "Enabling rotation reduces the risk of credential compromise by regularly updating them.",
"awsService": "SecretsManager",
"awsServiceCategory": "Secrets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "rotationLambdaARN",
"description": "The ARN of the Lambda function to handle rotation.",
"default": "",
"example": "arn:aws:lambda:us-east-1:123456789012:function:MyRotationLambda"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListSecretsCommand",
"reason": "Retrieve the list of Secrets Manager secrets."
}
],
"commandUsedInFixFunction": [
{
"name": "RotateSecretCommand",
"reason": "Enable rotation for the secret."
}
],
"adviseBeforeFixFunction": "Ensure that the rotation Lambda function is configured correctly to handle secret updates."
},
{
"name": "SecretsManagerScheduledRotationSuccessCheck",
"description": "Ensures that secrets with rotation enabled have been rotated successfully within the scheduled time.",
"priority": 1,
"priorityReason": "Ensuring timely rotation protects against stale or compromised credentials.",
"awsService": "SecretsManager",
"awsServiceCategory": "Secrets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListSecretsCommand",
"reason": "Retrieve the list of Secrets Manager secrets."
}
],
"commandUsedInFixFunction": [
{
"name": "RotateSecretCommand",
"reason": "Force rotation of the secret to update it."
}
],
"adviseBeforeFixFunction": "Verify that the rotation Lambda function is active and can handle forced rotation."
},
{
"name": "SecretsManagerSecretPeriodicRotation",
"description": "Ensures that secrets are rotated periodically, at least every 90 days.",
"priority": 2,
"priorityReason": "Periodic rotation helps mitigate risks of long-lived credentials.",
"awsService": "SecretsManager",
"awsServiceCategory": "Secrets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "rotationDays",
"description": "The number of days after which the secret should be rotated.",
"default": "90",
"example": "90"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListSecretsCommand",
"reason": "Retrieve the list of Secrets Manager secrets."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateSecretCommand",
"reason": "Set the rotation schedule for the secret."
}
],
"adviseBeforeFixFunction": "Ensure rotation rules align with organizational policies and application dependencies."
},
{
"name": "SecurityHubEnabled",
"description": "Ensures that AWS Security Hub is enabled for the AWS account.",
"priority": 1,
"priorityReason": "Enabling Security Hub is critical for monitoring and managing security across AWS accounts.",
"awsService": "SecurityHub",
"awsServiceCategory": "Security Monitoring",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeHubCommand",
"reason": "Check if Security Hub is enabled in the account."
}
],
"commandUsedInFixFunction": [
{
"name": "EnableSecurityHubCommand",
"reason": "Enable Security Hub for the account."
}
],
"adviseBeforeFixFunction": "Ensure that enabling Security Hub aligns with organizational policies and cost considerations."
},
{
"name": "SNSEncryptedKMS",
"description": "Ensures that SNS topics are encrypted using KMS keys.",
"priority": 2,
"priorityReason": "Encrypting SNS topics helps protect sensitive data transmitted via notifications.",
"awsService": "SNS",
"awsServiceCategory": "Topics",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "kmsKeyId",
"description": "The KMS key ID or ARN to encrypt the SNS topic.",
"default": "",
"example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListTopicsCommand",
"reason": "Retrieve the list of SNS topics."
},
{
"name": "GetTopicAttributesCommand",
"reason": "Check the encryption settings of each SNS topic."
}
],
"commandUsedInFixFunction": [
{
"name": "SetTopicAttributesCommand",
"reason": "Enable encryption for the SNS topic."
}
],
"adviseBeforeFixFunction": "Ensure the KMS key is configured correctly and accessible by SNS."
},
{
"name": "SNSTopicMessageDeliveryNotificationEnabled",
"description": "Ensures that SNS topics are configured to send delivery notifications.",
"priority": 3,
"priorityReason": "Enabling delivery notifications ensures visibility into message delivery status.",
"awsService": "SNS",
"awsServiceCategory": "Topics",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "feedbackRoleArn",
"description": "The ARN of the IAM role to enable delivery notifications.",
"default": "",
"example": "arn:aws:iam::123456789012:role/SNSDeliveryRole"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListTopicsCommand",
"reason": "Retrieve the list of SNS topics."
},
{
"name": "GetTopicAttributesCommand",
"reason": "Check if delivery notifications are enabled for each topic."
}
],
"commandUsedInFixFunction": [
{
"name": "SetTopicAttributesCommand",
"reason": "Enable delivery notifications for the SNS topic."
}
],
"adviseBeforeFixFunction": "Ensure the IAM role has the appropriate permissions to manage delivery notifications."
},
{
"name": "EC2TransitGatewayAutoVPCAttachDisabled",
"description": "Ensures that the auto-attach feature of Transit Gateways is disabled.",
"priority": 1,
"priorityReason": "Disabling auto-attach ensures manual control over VPC attachments, enhancing security and governance.",
"awsService": "EC2",
"awsServiceCategory": "Transit Gateways",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTransitGatewaysCommand",
"reason": "Retrieve the list of Transit Gateways and check their auto-attach settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyTransitGatewayCommand",
"reason": "Disable the auto-attach feature for the Transit Gateway."
}
],
"adviseBeforeFixFunction": "Verify that no active auto-attached VPCs will be impacted by disabling this feature."
},
{
"name": "RestrictedSSH",
"description": "Ensures that SSH access (port 22) is restricted to trusted sources.",
"priority": 1,
"priorityReason": "Restricting SSH access prevents unauthorized access to resources and strengthens security.",
"awsService": "EC2",
"awsServiceCategory": "Security Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeSecurityGroupRulesCommand",
"reason": "Retrieve security group rules to check for unrestricted SSH access."
}
],
"commandUsedInFixFunction": [
{
"name": "RevokeSecurityGroupIngressCommand",
"reason": "Revoke rules allowing unrestricted SSH access."
}
],
"adviseBeforeFixFunction": "Ensure that legitimate users have alternative access paths before restricting SSH access."
},
{
"name": "SubnetAutoAssignPublicIPDisabled",
"description": "Ensures that subnets are not configured to automatically assign public IP addresses.",
"priority": 2,
"priorityReason": "Disabling automatic public IP assignment helps prevent unintended exposure of resources to the internet.",
"awsService": "EC2",
"awsServiceCategory": "Subnets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeSubnetsCommand",
"reason": "Retrieve the list of subnets and check their public IP assignment settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifySubnetAttributeCommand",
"reason": "Disable automatic public IP assignment for the subnet."
}
],
"adviseBeforeFixFunction": "Ensure no essential resources require public IPs before disabling this feature."
},
{
"name": "VPCFlowLogsEnabled",
"description": "Ensures that flow logs are enabled for all VPCs.",
"priority": 1,
"priorityReason": "Enabling flow logs provides visibility into network traffic and helps with troubleshooting and auditing.",
"awsService": "EC2",
"awsServiceCategory": "VPCs",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "logGroupName",
"description": "The name of the CloudWatch log group to store flow logs.",
"default": "",
"example": "VPCFlowLogs"
},
{
"name": "iamRoleArn",
"description": "The ARN of the IAM role with permissions to publish flow logs to CloudWatch.",
"default": "",
"example": "arn:aws:iam::123456789012:role/FlowLogsRole"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeVpcsCommand",
"reason": "Retrieve the list of VPCs and check if flow logs are enabled."
}
],
"commandUsedInFixFunction": [
{
"name": "CreateFlowLogsCommand",
"reason": "Enable flow logs for the VPC."
}
],
"adviseBeforeFixFunction": "Ensure CloudWatch and IAM role configurations are prepared to handle the new logs."
},
{
"name": "VPCDefaultSecurityGroupClosed",
"description": "Ensures that default security groups have no inbound or outbound rules.",
"priority": 1,
"priorityReason": "Closing default security groups prevents unintended access and strengthens security.",
"awsService": "EC2",
"awsServiceCategory": "Security Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeSecurityGroupsCommand",
"reason": "Retrieve default security groups and check their rules."
}
],
"commandUsedInFixFunction": [
{
"name": "RevokeSecurityGroupIngressCommand",
"reason": "Remove all inbound rules from the default security group."
},
{
"name": "RevokeSecurityGroupEgressCommand",
"reason": "Remove all outbound rules from the default security group."
}
],
"adviseBeforeFixFunction": "Ensure no critical dependencies are relying on the default security group rules."
feat: remove unused bpset metadata
2024-12-24 11:14:40 +09:00
},
{
"name": "WAFv2LoggingEnabled",
"description": "Ensures that logging is enabled for WAFv2 Web ACLs.",
"priority": 1,
"priorityReason": "Logging provides visibility into WAF actions and helps in auditing and debugging.",
"awsService": "WAFv2",
"awsServiceCategory": "Web ACLs",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "logDestinationArn",
"description": "The ARN of the log group or Kinesis Data Firehose for logging.",
"default": "",
"example": "arn:aws:logs:us-east-1:123456789012:log-group:WAFLogs"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetLoggingConfigurationCommand",
"reason": "Check if logging is enabled for WAF Web ACLs."
},
{
"name": "ListWebACLsCommand",
"reason": "Retrieve the list of Web ACLs."
}
],
"commandUsedInFixFunction": [
{
"name": "PutLoggingConfigurationCommand",
"reason": "Enable logging for WAF Web ACLs."
}
],
"adviseBeforeFixFunction": "Ensure the log destination (CloudWatch Logs or Kinesis Data Firehose) is configured correctly."
},
{
"name": "WAFv2RuleGroupLoggingEnabled",
"description": "Ensures that logging is enabled for WAFv2 Rule Groups.",
"priority": 2,
"priorityReason": "Logging for Rule Groups provides visibility into their actions, helping in auditing and debugging.",
"awsService": "WAFv2",
"awsServiceCategory": "Rule Groups",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetRuleGroupCommand",
"reason": "Retrieve the details of WAF Rule Groups to check their logging configuration."
},
{
"name": "ListRuleGroupsCommand",
"reason": "Retrieve the list of Rule Groups."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateRuleGroupCommand",
"reason": "Enable logging for the WAF Rule Group."
}
],
"adviseBeforeFixFunction": "Ensure metrics and logs are enabled for related Rule Groups."
},
{
"name": "WAFv2RuleGroupNotEmpty",
"description": "Ensures that WAFv2 Rule Groups are not empty.",
"priority": 2,
"priorityReason": "Empty Rule Groups do not provide any protective measures, making them ineffective.",
"awsService": "WAFv2",
"awsServiceCategory": "Rule Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "rules",
"description": "The rules to be added to the Rule Group.",
"default": "",
"example": "[{\"Name\": \"IPBlock\", \"Priority\": 1, \"Statement\": {\"IPSetReferenceStatement\": {\"ARN\": \"arn:aws:wafv2:...\"}}}]"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetRuleGroupCommand",
"reason": "Retrieve details of Rule Groups and check if they contain rules."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateRuleGroupCommand",
"reason": "Add rules to the Rule Group."
}
],
"adviseBeforeFixFunction": "Ensure the new rules do not conflict with existing configurations."
},
{
"name": "WAFv2WebACLNotEmpty",
"description": "Ensures that WAFv2 Web ACLs contain at least one rule.",
"priority": 1,
"priorityReason": "Web ACLs without rules do not provide any protection against unwanted traffic.",
"awsService": "WAFv2",
"awsServiceCategory": "Web ACLs",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "rules",
"description": "The rules to be added to the Web ACL.",
"default": "",
"example": "[{\"Name\": \"BlockBadActors\", \"Priority\": 1, \"Statement\": {\"IPSetReferenceStatement\": {\"ARN\": \"arn:aws:wafv2:...\"}}}]"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetWebACLCommand",
"reason": "Retrieve details of Web ACLs to check if they contain rules."
},
{
"name": "ListWebACLsCommand",
"reason": "Retrieve the list of Web ACLs."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateWebACLCommand",
"reason": "Add rules to the Web ACL."
}
],
"adviseBeforeFixFunction": "Review the rules to ensure they align with your organization's security policies."
},
{
"name": "RestrictedCommonPorts",
"description": "Ensures that security groups restrict access to common ports such as HTTP, SSH, MySQL, and others.",
"priority": 1,
"priorityReason": "Restricting access to common ports minimizes the risk of unauthorized access.",
"awsService": "EC2",
"awsServiceCategory": "Security Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeSecurityGroupRulesCommand",
"reason": "Retrieve the security group rules to check for unrestricted access to common ports."
}
],
"commandUsedInFixFunction": [
{
"name": "RevokeSecurityGroupIngressCommand",
"reason": "Revoke ingress rules that allow unrestricted access to common ports."
}
],
"adviseBeforeFixFunction": "Review and confirm which ports need to remain open for critical operations."
},
{
"name": "VPCNetworkACLUnusedCheck",
"description": "Ensures that unused network ACLs are identified and marked for removal or optimization.",
"priority": 2,
"priorityReason": "Unused network ACLs increase administrative overhead and pose a potential security risk if misconfigured.",
"awsService": "EC2",
"awsServiceCategory": "Network ACLs",
"bestPracticeCategory": "Optimization",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeNetworkAclsCommand",
"reason": "Retrieve the list of network ACLs to check for unused ones."
}
],
"commandUsedInFixFunction": [],
"adviseBeforeFixFunction": "Ensure that identified unused ACLs are truly unlinked before removing them."
},
{
"name": "VPCPeeringDNSResolutionCheck",
"description": "Ensures that VPC peering connections have DNS resolution enabled.",
"priority": 1,
"priorityReason": "Enabling DNS resolution improves connectivity and simplifies resource management across peered VPCs.",
"awsService": "EC2",
"awsServiceCategory": "VPC Peering",
"bestPracticeCategory": "Networking",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeVpcPeeringConnectionsCommand",
"reason": "Retrieve the list of VPC peering connections and their DNS resolution settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyVpcPeeringConnectionOptionsCommand",
"reason": "Enable DNS resolution for the VPC peering connection."
}
],
"adviseBeforeFixFunction": "Ensure the VPCs involved in the peering connection require DNS resolution."
},
{
"name": "VPCSGOpenOnlyToAuthorizedPorts",
"description": "Ensures that security groups are only open to authorized ports and IP ranges.",
"priority": 1,
"priorityReason": "Restricting security groups to authorized ports minimizes the risk of exposure to unauthorized access.",
"awsService": "EC2",
"awsServiceCategory": "Security Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "authorizedPorts",
"description": "A list of ports authorized for access.",
"default": "[80, 443]",
"example": "[80, 443]"
}
],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeSecurityGroupRulesCommand",
"reason": "Retrieve security group rules to identify unauthorized open ports."
}
],
"commandUsedInFixFunction": [
{
"name": "RevokeSecurityGroupIngressCommand",
"reason": "Revoke unauthorized ingress rules from security groups."
}
],
"adviseBeforeFixFunction": "Validate the list of authorized ports to ensure it meets operational requirements."
},
{
"name": "S3AccessPointInVpcOnly",
"description": "Ensures that S3 access points are restricted to VPCs.",
"priority": 1,
"priorityReason": "Restricting access points to VPCs enhances security by preventing public access.",
"awsService": "S3",
"awsServiceCategory": "Access Points",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "vpcId",
"description": "The ID of the VPC to which the access point should be restricted.",
"default": "",
"example": "vpc-12345678"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListAccessPointsCommand",
"reason": "Retrieve S3 access points to verify VPC-only settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateAccessPointCommand",
"reason": "Restrict the access point to a specific VPC."
}
],
"adviseBeforeFixFunction": "Ensure the target VPC is configured correctly to support S3 access."
},
{
"name": "S3BucketLevelPublicAccessProhibited",
"description": "Ensures that public access to S3 buckets is restricted.",
"priority": 1,
"priorityReason": "Restricting public access protects data in the S3 bucket from unauthorized users.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetPublicAccessBlockCommand",
"reason": "Retrieve public access block settings for S3 buckets."
}
],
"commandUsedInFixFunction": [
{
"name": "PutPublicAccessBlockCommand",
"reason": "Restrict public access to the S3 bucket by enabling public access blocks."
}
],
"adviseBeforeFixFunction": "Ensure that no applications require public access to the bucket before applying restrictions."
},
{
"name": "S3DefaultEncryptionKMS",
"description": "Ensures that S3 buckets have default encryption enabled using a KMS key.",
"priority": 1,
"priorityReason": "Default encryption ensures that all objects stored in the bucket are encrypted, protecting sensitive data.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "kmsKeyId",
"description": "The KMS key ID or ARN to enable default encryption.",
"default": "",
"example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetBucketEncryptionCommand",
"reason": "Check if default encryption is enabled for the bucket."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBucketEncryptionCommand",
"reason": "Enable default encryption for the bucket."
}
],
"adviseBeforeFixFunction": "Ensure the KMS key has the necessary permissions to encrypt and decrypt objects."
},
{
"name": "S3EventNotificationsEnabled",
"description": "Ensures that S3 buckets have event notifications enabled for Lambda, SQS, or SNS.",
"priority": 2,
"priorityReason": "Event notifications facilitate real-time monitoring and automation, improving operational efficiency.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "eventNotificationConfig",
"description": "The event notification configuration to apply.",
"default": "",
"example": "{ \"LambdaFunctionConfigurations\": [...] }"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetBucketNotificationConfigurationCommand",
"reason": "Retrieve the event notification configuration for the bucket."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBucketNotificationConfigurationCommand",
"reason": "Enable event notifications for the bucket."
}
],
"adviseBeforeFixFunction": "Ensure that the configured notification targets (Lambda, SQS, SNS) are ready to handle events."
},
{
"name": "S3LastBackupRecoveryPointCreated",
"description": "Ensures that S3 buckets have recent recovery points created within the last 24 hours.",
"priority": 1,
"priorityReason": "Regular backups ensure data integrity and recoverability in case of data loss.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Backup",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "ListRecoveryPointsByResourceCommand",
"reason": "Check the recovery points for the S3 bucket."
}
],
"commandUsedInFixFunction": [],
"adviseBeforeFixFunction": "Ensure the backup mechanism is configured to create recovery points regularly."
},
{
"name": "S3LifecyclePolicyCheck",
"description": "Ensures that S3 buckets have lifecycle policies configured for managing object transitions and expirations.",
"priority": 2,
"priorityReason": "Lifecycle policies help optimize storage costs by managing object transitions and deletions.",
"awsService": "S3",
"awsServiceCategory": "Buckets",
"bestPracticeCategory": "Optimization",
"requiredParametersForFix": [
{
"name": "lifecyclePolicy",
"description": "The lifecycle policy to apply to the bucket.",
"default": "",
"example": "{ \"Rules\": [...] }"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetBucketLifecycleConfigurationCommand",
"reason": "Retrieve the lifecycle configuration for the bucket."
}
],
"commandUsedInFixFunction": [
{
"name": "PutBucketLifecycleConfigurationCommand",
"reason": "Apply lifecycle policies to the bucket."
}
],
"adviseBeforeFixFunction": "Review lifecycle rules to ensure they align with data retention policies."
},
{
"name": "RDSClusterAutoMinorVersionUpgradeEnabled",
"description": "Ensures that RDS clusters have auto minor version upgrades enabled.",
"priority": 2,
"priorityReason": "Auto minor version upgrades ensure that RDS clusters stay up-to-date with the latest security and bug fixes.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Maintenance",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve details of RDS clusters to check auto minor version upgrade settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBClusterCommand",
"reason": "Enable auto minor version upgrades for the RDS cluster."
}
],
"adviseBeforeFixFunction": "Ensure that enabling auto minor upgrades does not disrupt application compatibility."
},
{
"name": "RDSClusterDefaultAdminCheck",
"description": "Ensures that RDS clusters do not use default admin usernames like 'admin' or 'postgres'.",
"priority": 1,
"priorityReason": "Using non-default admin usernames reduces the risk of brute-force attacks.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve details of RDS clusters to check admin usernames."
}
],
"commandUsedInFixFunction": [],
"adviseBeforeFixFunction": "Consider re-creating clusters with non-default admin usernames to enhance security."
},
{
"name": "RDSClusterMultiAZEnabled",
"description": "Ensures that RDS clusters are configured for Multi-AZ deployments.",
"priority": 1,
"priorityReason": "Multi-AZ deployments provide high availability and fault tolerance for RDS clusters.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Reliability",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve details of RDS clusters to check Multi-AZ settings."
}
],
"commandUsedInFixFunction": [],
"adviseBeforeFixFunction": "Ensure applications can tolerate a potential brief downtime during Multi-AZ deployment configuration."
},
{
"name": "RDSDBSecurityGroupNotAllowed",
"description": "Ensures that RDS clusters do not use default security groups.",
"priority": 1,
"priorityReason": "Using custom security groups reduces the risk of unintended access to the database.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve details of RDS clusters and their associated security groups."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBClusterCommand",
"reason": "Assign a custom security group to the RDS cluster."
}
],
"adviseBeforeFixFunction": "Ensure that the custom security group allows only authorized traffic."
},
{
"name": "RDSEnhancedMonitoringEnabled",
"description": "Ensures that enhanced monitoring is enabled for RDS instances.",
"priority": 2,
"priorityReason": "Enhanced monitoring provides deeper insights into database performance and resource usage.",
"awsService": "RDS",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "monitoringRoleArn",
"description": "The ARN of the IAM role used for enhanced monitoring.",
"default": "",
"example": "arn:aws:iam::123456789012:role/RDSMonitoringRole"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBInstancesCommand",
"reason": "Retrieve details of RDS instances to check monitoring settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBInstanceCommand",
"reason": "Enable enhanced monitoring for the RDS instance."
}
],
"adviseBeforeFixFunction": "Ensure the monitoring IAM role is properly configured with the required permissions."
},
{
"name": "RDSInstancePublicAccessCheck",
"description": "Ensures that RDS instances are not publicly accessible.",
"priority": 1,
"priorityReason": "Restricting public access reduces the risk of unauthorized access to databases.",
"awsService": "RDS",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBInstancesCommand",
"reason": "Retrieve details of RDS instances to check public accessibility."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBInstanceCommand",
"reason": "Disable public accessibility for the RDS instance."
}
],
"adviseBeforeFixFunction": "Verify that applications accessing the database are within the same VPC or have secure connectivity."
},
{
"name": "RDSLoggingEnabled",
"description": "Ensures that RDS clusters have logging enabled for supported log types.",
"priority": 1,
"priorityReason": "Enabling logging provides visibility into database activity and assists with compliance and debugging.",
"awsService": "RDS",
"awsServiceCategory": "Clusters",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "logTypes",
"description": "The list of log types to enable for the RDS cluster.",
"default": "",
"example": "[\"audit\", \"error\", \"general\", \"slowquery\"]"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClustersCommand",
"reason": "Retrieve details of RDS clusters to check their logging settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyDBClusterCommand",
"reason": "Enable logging for the RDS cluster."
}
],
"adviseBeforeFixFunction": "Ensure that the enabled log types align with monitoring and compliance requirements."
},
{
"name": "RDSSnapshotEncrypted",
"description": "Ensures that RDS snapshots are encrypted.",
"priority": 1,
"priorityReason": "Encrypting snapshots protects sensitive data stored in backups.",
"awsService": "RDS",
"awsServiceCategory": "Snapshots",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "kmsKeyId",
"description": "The KMS key ID or ARN to use for snapshot encryption.",
"default": "",
"example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeDBClusterSnapshotsCommand",
"reason": "Retrieve details of RDS snapshots to check their encryption status."
}
],
"commandUsedInFixFunction": [
{
"name": "CopyDBClusterSnapshotCommand",
"reason": "Create an encrypted copy of an unencrypted snapshot."
}
],
"adviseBeforeFixFunction": "Ensure the KMS key is configured with the appropriate permissions for snapshot encryption."
},
{
"name": "ElastiCacheReplGrpAutoFailoverEnabled",
"description": "Ensures that automatic failover is enabled for ElastiCache replication groups.",
"priority": 1,
"priorityReason": "Automatic failover provides high availability and reduces downtime in case of failures.",
"awsService": "ElastiCache",
"awsServiceCategory": "Replication Groups",
"bestPracticeCategory": "Reliability",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeReplicationGroupsCommand",
"reason": "Retrieve details of ElastiCache replication groups to check their failover settings."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyReplicationGroupCommand",
"reason": "Enable automatic failover for the replication group."
}
],
"adviseBeforeFixFunction": "Ensure that the replication group is configured for high availability."
},
{
"name": "ElastiCacheReplGrpEncryptedAtRest",
"description": "Ensures that ElastiCache replication groups are encrypted at rest.",
"priority": 1,
"priorityReason": "Encrypting data at rest protects it from unauthorized access in storage.",
"awsService": "ElastiCache",
"awsServiceCategory": "Replication Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeReplicationGroupsCommand",
"reason": "Retrieve details of ElastiCache replication groups to check their encryption settings."
}
],
"commandUsedInFixFunction": [],
"adviseBeforeFixFunction": "Encryption at rest must be enabled at the time of cluster creation."
},
{
"name": "ElastiCacheReplGrpEncryptedInTransit",
"description": "Ensures that ElastiCache replication groups are encrypted in transit.",
"priority": 1,
"priorityReason": "Encrypting data in transit protects it from interception during communication.",
"awsService": "ElastiCache",
"awsServiceCategory": "Replication Groups",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeReplicationGroupsCommand",
"reason": "Retrieve details of ElastiCache replication groups to check their in-transit encryption settings."
}
],
"commandUsedInFixFunction": [],
"adviseBeforeFixFunction": "In-transit encryption must be enabled at the time of cluster creation."
},
{
"name": "ECSAwsVpcNetworkingEnabled",
"description": "Ensures that ECS task definitions use the awsvpc networking mode.",
"priority": 1,
"priorityReason": "Using awsvpc networking mode ensures that tasks receive their own elastic network interfaces for enhanced security.",
"awsService": "ECS",
"awsServiceCategory": "Task Definitions",
"bestPracticeCategory": "Networking",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeTaskDefinitionCommand",
"reason": "Retrieve details of ECS task definitions to check their network mode."
}
],
"commandUsedInFixFunction": [
{
"name": "RegisterTaskDefinitionCommand",
"reason": "Re-register the task definition with the awsvpc networking mode."
}
],
"adviseBeforeFixFunction": "Ensure that the VPC and subnets are configured to support the awsvpc networking mode."
},
{
"name": "ECSContainersReadonlyAccess",
"description": "Ensures that ECS containers are configured with read-only root file systems.",
"priority": 2,
"priorityReason": "Using read-only root file systems reduces the risk of unauthorized changes to the container's file system.",
"awsService": "ECS",
"awsServiceCategory": "Task Definitions",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeTaskDefinitionCommand",
"reason": "Retrieve details of ECS task definitions to check container file system permissions."
}
],
"commandUsedInFixFunction": [
{
"name": "RegisterTaskDefinitionCommand",
"reason": "Re-register the task definition with read-only root file systems for containers."
}
],
"adviseBeforeFixFunction": "Verify that the application does not require write access to the container's root file system."
},
{
"name": "ECSFargateLatestPlatformVersion",
"description": "Ensures that ECS services use the latest Fargate platform version.",
"priority": 2,
"priorityReason": "Using the latest platform version ensures access to the latest features and bug fixes.",
"awsService": "ECS",
"awsServiceCategory": "Services",
"bestPracticeCategory": "Maintenance",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeServicesCommand",
"reason": "Retrieve details of ECS services to check their platform version."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateServiceCommand",
"reason": "Update the service to use the latest Fargate platform version."
}
],
"adviseBeforeFixFunction": "Ensure that updating the platform version does not disrupt service operations."
},
{
"name": "ECRKmsEncryption1",
"description": "Ensures that ECR repositories are encrypted using KMS keys.",
"priority": 1,
"priorityReason": "Encrypting ECR repositories with KMS keys protects sensitive data from unauthorized access.",
"awsService": "ECR",
"awsServiceCategory": "Repositories",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "kmsKeyId",
"description": "The KMS key ID or ARN to use for encryption.",
"default": "",
"example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeRepositoriesCommand",
"reason": "Retrieve details of ECR repositories to check their encryption settings."
}
],
"commandUsedInFixFunction": [
{
"name": "PutEncryptionConfigurationCommand",
"reason": "Enable KMS encryption for the ECR repository."
}
],
"adviseBeforeFixFunction": "Ensure the KMS key is properly configured with permissions to encrypt and decrypt ECR repository data."
},
{
"name": "EC2EbsEncryptionByDefault",
"description": "Ensures that EBS volumes are encrypted by default.",
"priority": 1,
"priorityReason": "Default encryption ensures all newly created EBS volumes are protected by encryption.",
"awsService": "EC2",
"awsServiceCategory": "EBS",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetEbsEncryptionByDefaultCommand",
"reason": "Check if EBS encryption by default is enabled."
}
],
"commandUsedInFixFunction": [
{
"name": "EnableEbsEncryptionByDefaultCommand",
"reason": "Enable EBS encryption by default."
}
],
"adviseBeforeFixFunction": "Ensure that encryption requirements align with organizational security policies."
},
{
"name": "EC2Imdsv2Check",
"description": "Ensures that EC2 instances require IMDSv2 for metadata access.",
"priority": 1,
"priorityReason": "Requiring IMDSv2 improves instance metadata security by preventing SSRF attacks.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeInstancesCommand",
"reason": "Retrieve details of EC2 instances to check their metadata options."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyInstanceMetadataOptionsCommand",
"reason": "Enforce IMDSv2 on EC2 instances."
}
],
"adviseBeforeFixFunction": "Verify that applications using instance metadata are compatible with IMDSv2."
},
{
"name": "EC2InstanceDetailedMonitoringEnabled",
"description": "Ensures that EC2 instances have detailed monitoring enabled.",
"priority": 2,
"priorityReason": "Detailed monitoring provides granular metrics for resource usage and performance analysis.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeInstancesCommand",
"reason": "Retrieve details of EC2 instances to check their monitoring state."
}
],
"commandUsedInFixFunction": [
{
"name": "MonitorInstancesCommand",
"reason": "Enable detailed monitoring on EC2 instances."
}
],
"adviseBeforeFixFunction": "Ensure that enabling detailed monitoring aligns with operational requirements."
},
{
"name": "EC2InstanceManagedBySystemsManager",
"description": "Ensures that EC2 instances are managed by AWS Systems Manager.",
"priority": 2,
"priorityReason": "Using Systems Manager simplifies management tasks such as patching, configuration, and automation.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Management",
"requiredParametersForFix": [
{
"name": "iamRole",
"description": "The IAM role to attach to the instance for Systems Manager.",
"default": "",
"example": "arn:aws:iam::123456789012:role/SSMRole"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeInstanceInformationCommand",
"reason": "Check if instances are registered with Systems Manager."
}
],
"commandUsedInFixFunction": [
{
"name": "AttachIamInstanceProfileCommand",
"reason": "Attach an IAM role that enables Systems Manager to manage the instance."
}
],
"adviseBeforeFixFunction": "Ensure the IAM role has the necessary permissions for Systems Manager operations."
},
{
"name": "EC2NoAmazonKeyPair",
"description": "Ensures that EC2 instances do not use Amazon-provided key pairs for authentication.",
"priority": 1,
"priorityReason": "Using custom key pairs ensures that access to EC2 instances is controlled by the organization.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "newKeyPair",
"description": "The custom key pair to use for the EC2 instance.",
"default": "",
"example": "my-custom-keypair"
}
],
"isFixFunctionUsesDestructiveCommand": true,
"commandUsedInCheckFunction": [
{
"name": "DescribeInstancesCommand",
"reason": "Retrieve details of EC2 instances to check their key pair settings."
}
],
"commandUsedInFixFunction": [
{
"name": "RecreateInstanceWithNewKeyPairCommand",
"reason": "Recreate the instance with a custom key pair."
}
],
"adviseBeforeFixFunction": "Ensure that the new key pair is securely stored and accessible."
},
{
"name": "EC2TokenHopLimitCheck",
"description": "Ensures that EC2 instance metadata service has a low token hop limit configured.",
"priority": 2,
"priorityReason": "Reducing the hop limit minimizes the risk of metadata interception in multi-hop scenarios.",
"awsService": "EC2",
"awsServiceCategory": "Instances",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "hopLimit",
"description": "The maximum number of hops allowed for the metadata service.",
"default": "1",
"example": "1"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeInstancesCommand",
"reason": "Retrieve details of EC2 instances to check their metadata service hop limit."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyInstanceMetadataOptionsCommand",
"reason": "Set the hop limit for the instance metadata service."
}
],
"adviseBeforeFixFunction": "Ensure that the hop limit setting does not interfere with legitimate application behavior."
},
{
"name": "DynamoDBTableEncryptionEnabled",
"description": "Ensures that DynamoDB tables are encrypted at rest.",
"priority": 1,
"priorityReason": "Encrypting DynamoDB tables protects sensitive data stored in the database.",
"awsService": "DynamoDB",
"awsServiceCategory": "Tables",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeTableCommand",
"reason": "Retrieve details of DynamoDB tables to check their encryption settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateTableCommand",
"reason": "Enable encryption for the DynamoDB table."
}
],
"adviseBeforeFixFunction": "Ensure that enabling encryption aligns with your organization's data security policies."
},
{
"name": "CWLogGroupRetentionPeriodCheck",
"description": "Ensures that CloudWatch log groups have a defined retention period.",
"priority": 2,
"priorityReason": "Defining a retention period reduces storage costs and ensures logs are not kept indefinitely.",
"awsService": "CloudWatch",
"awsServiceCategory": "Logs",
"bestPracticeCategory": "Cost Optimization",
"requiredParametersForFix": [
{
"name": "retentionDays",
"description": "The number of days to retain log data.",
"default": "30",
"example": "7"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeLogGroupsCommand",
"reason": "Retrieve details of CloudWatch log groups to check their retention settings."
}
],
"commandUsedInFixFunction": [
{
"name": "PutRetentionPolicyCommand",
"reason": "Set the retention period for CloudWatch log groups."
}
],
"adviseBeforeFixFunction": "Choose a retention period that balances storage costs and compliance requirements."
},
{
"name": "CloudFrontS3OriginAccessControlEnabled",
"description": "Ensures that CloudFront distributions with S3 origins have origin access control enabled.",
"priority": 1,
"priorityReason": "Using origin access control restricts access to S3 buckets, enhancing security.",
"awsService": "CloudFront",
"awsServiceCategory": "Distributions",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetDistributionCommand",
"reason": "Retrieve CloudFront distribution configurations to check origin access settings."
}
],
"commandUsedInFixFunction": [
{
"name": "UpdateDistributionCommand",
"reason": "Enable origin access control for CloudFront distributions."
}
],
"adviseBeforeFixFunction": "Ensure that enabling origin access control does not disrupt existing functionality."
},
{
"name": "ALBWAFEnabled",
"description": "Ensures that WAF is associated with ALBs.",
"priority": 1,
"priorityReason": "Associating WAF with ALBs protects against common web attacks.",
"awsService": "Elastic Load Balancing",
"awsServiceCategory": "Application Load Balancer",
"bestPracticeCategory": "Security",
"requiredParametersForFix": [
{
"name": "webAclArn",
"description": "The ARN of the WAF ACL to associate with the ALB.",
"default": "",
"example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "GetWebAclForResourceCommand",
"reason": "Check if a WAF is associated with the ALB."
}
],
"commandUsedInFixFunction": [
{
"name": "AssociateWebAclCommand",
"reason": "Associate a WAF ACL with the ALB."
}
],
"adviseBeforeFixFunction": "Ensure the WAF ACL has the appropriate rules for the application's requirements."
},
{
"name": "ELBCrossZoneLoadBalancingEnabled",
"description": "Ensures that cross-zone load balancing is enabled for load balancers.",
"priority": 2,
"priorityReason": "Cross-zone load balancing distributes traffic evenly across all registered targets.",
"awsService": "Elastic Load Balancing",
"awsServiceCategory": "Load Balancer",
"bestPracticeCategory": "Reliability",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeLoadBalancerAttributesCommand",
"reason": "Check if cross-zone load balancing is enabled for load balancers."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyLoadBalancerAttributesCommand",
"reason": "Enable cross-zone load balancing for load balancers."
}
],
"adviseBeforeFixFunction": "Ensure enabling cross-zone load balancing aligns with traffic distribution goals."
},
{
"name": "ELBDeletionProtectionEnabled",
"description": "Ensures that deletion protection is enabled for load balancers.",
"priority": 1,
"priorityReason": "Enabling deletion protection prevents accidental deletion of load balancers.",
"awsService": "Elastic Load Balancing",
"awsServiceCategory": "Load Balancer",
"bestPracticeCategory": "Reliability",
"requiredParametersForFix": [],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeLoadBalancerAttributesCommand",
"reason": "Check if deletion protection is enabled for load balancers."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyLoadBalancerAttributesCommand",
"reason": "Enable deletion protection for load balancers."
}
],
"adviseBeforeFixFunction": "Verify that deletion protection is necessary for the load balancer's lifecycle management."
},
{
"name": "ELBLoggingEnabled",
"description": "Ensures that access logs are enabled for load balancers.",
"priority": 1,
"priorityReason": "Enabling access logs helps with debugging and analyzing traffic patterns.",
"awsService": "Elastic Load Balancing",
"awsServiceCategory": "Load Balancer",
"bestPracticeCategory": "Monitoring",
"requiredParametersForFix": [
{
"name": "s3BucketName",
"description": "The S3 bucket to store access logs.",
"default": "",
"example": "my-logs-bucket"
}
],
"isFixFunctionUsesDestructiveCommand": false,
"commandUsedInCheckFunction": [
{
"name": "DescribeLoadBalancerAttributesCommand",
"reason": "Check if access logging is enabled for load balancers."
}
],
"commandUsedInFixFunction": [
{
"name": "ModifyLoadBalancerAttributesCommand",
"reason": "Enable access logs for load balancers."
}
],
"adviseBeforeFixFunction": "Ensure that the specified S3 bucket exists and has permissions to receive access logs."
feat: add metadata json
2024-12-24 10:36:06 +09:00
}
]
Reference in New Issue Copy Permalink