diff --git a/src/Memorizer.ts b/src/Memorizer.ts index b1fe269..ca268f9 100644 --- a/src/Memorizer.ts +++ b/src/Memorizer.ts @@ -1,6 +1,17 @@ import { Client } from '@smithy/smithy-client' import shajs from 'sha.js' +/** + * Memorize AWS SDK operation results. + * This util class tend to be always re-use AWS SDK Client + * which makes operation more faster and optimize memory usage. + * + * All results will be store as Key-Value hash map. + * * Key: sha256(serialize([OPERATION_NAME, OPERATION_INPUT_PARAMETER])) + * * Value: OPERATION_OUTPUT + * + * @author Minhyeok Park + */ export class Memorizer { private static memorized = new Map() diff --git a/src/bpsets/BPSet.ts b/src/bpsets/BPSet.ts index 0e1cb8c..82cd59f 100644 --- a/src/bpsets/BPSet.ts +++ b/src/bpsets/BPSet.ts @@ -1,3 +1,11 @@ +/** + * This interface defines required structure for all bpsets. + * + * Modifying this interface causes VERY large blast impact. + * SO PLEASE DO NOT MODIFY. + * + * @author Minhyeok Park + */ export interface BPSet { check: () => Promise<{ compliantResources: string[] diff --git a/src/bpsets/bpset_metadata.json b/src/bpsets/bpset_metadata.json new file mode 100644 index 0000000..113ae06 --- /dev/null +++ b/src/bpsets/bpset_metadata.json @@ -0,0 +1,2464 @@ +[ + { + "name": "ALBHttpDropInvalidHeaderEnabled", + "description": "Ensures that the ALB is configured to drop invalid HTTP headers.", + "priority": 1, + "priorityReason": "Invalid headers can introduce security vulnerabilities.", + "awsService": "ELBv2", + "awsServiceCategory": "Application Load Balancer", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeLoadBalancerAttributes", + "reason": "Retrieve ALB attributes to check for the invalid header configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyLoadBalancerAttributes", + "reason": "Enable the drop invalid headers feature for the ALB." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling this attribute does not break any custom client behavior." + }, + { + "name": "ALBWafEnabled", + "description": "Verifies if a WAF is associated with the ALB.", + "priority": 2, + "priorityReason": "WAF protects the application from known vulnerabilities and attacks.", + "awsService": "ELBv2", + "awsServiceCategory": "Application Load Balancer", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "webAclArn", + "description": "The ARN of the WAF WebACL to associate with the ALB.", + "default": "", + "example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetWebACLForResource", + "reason": "Check if a WAF is associated with the ALB." + } + ], + "commandUsedInFixFunction": [ + { + "name": "AssociateWebACL", + "reason": "Associate a WAF WebACL with the ALB." + } + ], + "adviseBeforeFixFunction": "Ensure the WAF WebACL is configured and ready for use to prevent blocking legitimate traffic." + }, + { + "name": "ALBCrossZoneLoadBalancingEnabled", + "description": "Ensures cross-zone load balancing is enabled for the ALB.", + "priority": 3, + "priorityReason": "Cross-zone load balancing ensures even traffic distribution across instances in multiple zones.", + "awsService": "ELBv2", + "awsServiceCategory": "Application Load Balancer", + "bestPracticeCategory": "Performance", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeLoadBalancerAttributes", + "reason": "Retrieve ALB attributes to check for cross-zone load balancing configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyLoadBalancerAttributes", + "reason": "Enable cross-zone load balancing for the ALB." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling this attribute aligns with your traffic distribution strategy." + }, + { + "name": "ALBDeletionProtectionEnabled", + "description": "Ensures deletion protection is enabled for the ALB.", + "priority": 1, + "priorityReason": "Deletion protection prevents accidental or unauthorized deletion of the ALB.", + "awsService": "ELBv2", + "awsServiceCategory": "Application Load Balancer", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeLoadBalancerAttributes", + "reason": "Retrieve ALB attributes to check for deletion protection configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyLoadBalancerAttributes", + "reason": "Enable deletion protection for the ALB." + } + ], + "adviseBeforeFixFunction": "Ensure that deletion protection aligns with your operational requirements." + }, + { + "name": "ALBLoggingEnabled", + "description": "Ensures access logging is enabled for the ALB.", + "priority": 2, + "priorityReason": "Access logs help in monitoring and debugging traffic issues.", + "awsService": "ELBv2", + "awsServiceCategory": "Application Load Balancer", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "s3BucketName", + "description": "The name of the S3 bucket to store access logs.", + "default": "", + "example": "my-logs-bucket" + }, + { + "name": "s3BucketPrefix", + "description": "The prefix for the access logs in the S3 bucket.", + "default": "", + "example": "ALB/logs/" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeLoadBalancerAttributes", + "reason": "Retrieve ALB attributes to check for logging configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyLoadBalancerAttributes", + "reason": "Enable logging and configure the S3 bucket and prefix for the ALB." + } + ], + "adviseBeforeFixFunction": "Ensure that the specified S3 bucket is correctly configured to receive access logs." + }, + { + "name": "APIGatewayV2AccessLogsEnabled", + "description": "Ensures that access logs are enabled for API Gateway V2 HTTP APIs.", + "priority": 2, + "priorityReason": "Access logs help in monitoring and debugging API traffic issues.", + "awsService": "APIGateway", + "awsServiceCategory": "HTTP API", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "logGroupArn", + "description": "The ARN of the CloudWatch Log Group to store access logs.", + "default": "", + "example": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/http-api/logs:*" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetStagesCommand", + "reason": "Retrieve stage information for HTTP APIs to check for access log configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateStageCommand", + "reason": "Enable access logs and configure the CloudWatch Log Group for the stage." + } + ], + "adviseBeforeFixFunction": "Ensure the specified CloudWatch Log Group exists and has proper permissions." + }, + { + "name": "APIGatewayV2AuthorizationTypeConfigured", + "description": "Verifies that all routes in API Gateway V2 HTTP APIs have authorization configured.", + "priority": 1, + "priorityReason": "Authorization protects APIs from unauthorized access.", + "awsService": "APIGateway", + "awsServiceCategory": "HTTP API", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "authorizationType", + "description": "The type of authorization to apply to the API route.", + "default": "AWS_IAM", + "example": "JWT" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetRoutesCommand", + "reason": "Retrieve route information to check for authorization configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateRouteCommand", + "reason": "Update route configuration to include the specified authorization type." + } + ], + "adviseBeforeFixFunction": "Ensure that the chosen authorization method is correctly set up and configured." + }, + { + "name": "APIGatewayAssociatedWithWAF", + "description": "Ensures that the API Gateway stages are associated with a WAF WebACL.", + "priority": 1, + "priorityReason": "WAF provides protection against common web exploits.", + "awsService": "APIGateway", + "awsServiceCategory": "REST API", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "webAclArn", + "description": "The ARN of the WAF WebACL to associate with the API Gateway stage.", + "default": "", + "example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetStageCommand", + "reason": "Retrieve stage information to check if it is associated with a WAF WebACL." + } + ], + "commandUsedInFixFunction": [ + { + "name": "AssociateWebACLCommand", + "reason": "Associate the specified WAF WebACL with the API Gateway stage." + } + ], + "adviseBeforeFixFunction": "Ensure the WAF WebACL is properly configured before associating it with the API Gateway stage." + }, + { + "name": "APIGatewayCacheEnabledAndEncrypted", + "description": "Ensures that caching is enabled and encrypted for API Gateway stages.", + "priority": 3, + "priorityReason": "Encrypted caching protects sensitive data and improves performance.", + "awsService": "APIGateway", + "awsServiceCategory": "REST API", + "bestPracticeCategory": "Performance", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetStageCommand", + "reason": "Retrieve stage information to check caching and encryption settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateStageCommand", + "reason": "Enable caching and encryption for the API Gateway stage." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling caching aligns with your performance requirements." + }, + { + "name": "APIGatewayExecutionLoggingEnabled", + "description": "Ensures that execution logging is enabled for API Gateway stages.", + "priority": 2, + "priorityReason": "Execution logs help in debugging and monitoring API requests.", + "awsService": "APIGateway", + "awsServiceCategory": "REST API", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetStageCommand", + "reason": "Retrieve stage information to check execution logging configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateStageCommand", + "reason": "Enable execution logging for the API Gateway stage." + } + ], + "adviseBeforeFixFunction": "Ensure CloudWatch Logs are set up correctly to receive execution logs." + }, + { + "name": "AutoScalingGroupELBHealthCheckRequired", + "description": "Ensures that Auto Scaling Groups with load balancers or target groups use ELB health checks.", + "priority": 1, + "priorityReason": "ELB health checks ensure that unhealthy instances are replaced automatically.", + "awsService": "AutoScaling", + "awsServiceCategory": "Auto Scaling Group", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeAutoScalingGroupsCommand", + "reason": "Retrieve Auto Scaling Group configurations to check health check settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateAutoScalingGroupCommand", + "reason": "Update the health check type of the Auto Scaling Group to ELB." + } + ], + "adviseBeforeFixFunction": "Ensure that the ELB or target group is correctly configured to provide health checks." + }, + { + "name": "AutoScalingMultipleAZ", + "description": "Ensures that Auto Scaling Groups are configured to run in multiple Availability Zones.", + "priority": 2, + "priorityReason": "Multiple AZs improve availability and fault tolerance of the application.", + "awsService": "AutoScaling", + "awsServiceCategory": "Auto Scaling Group", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [ + { + "name": "availabilityZones", + "description": "List of Availability Zones to add to the Auto Scaling Group.", + "default": "", + "example": "['us-east-1a', 'us-east-1b']" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeAutoScalingGroupsCommand", + "reason": "Retrieve Auto Scaling Group configurations to check the number of Availability Zones." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateAutoScalingGroupCommand", + "reason": "Add multiple Availability Zones to the Auto Scaling Group." + } + ], + "adviseBeforeFixFunction": "Ensure that the additional Availability Zones have the necessary capacity and resources." + }, + { + "name": "AutoScalingLaunchTemplate", + "description": "Ensures that Auto Scaling Groups use launch templates instead of launch configurations.", + "priority": 3, + "priorityReason": "Launch templates provide better flexibility and are recommended over launch configurations.", + "awsService": "AutoScaling", + "awsServiceCategory": "Auto Scaling Group", + "bestPracticeCategory": "Configuration", + "requiredParametersForFix": [ + { + "name": "launchTemplateId", + "description": "The ID of the launch template to associate with the Auto Scaling Group.", + "default": "", + "example": "lt-0123456789abcdef0" + }, + { + "name": "launchTemplateVersion", + "description": "The version of the launch template to use.", + "default": "$Latest", + "example": "$Latest" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeAutoScalingGroupsCommand", + "reason": "Retrieve Auto Scaling Group configurations to check for launch configuration usage." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateAutoScalingGroupCommand", + "reason": "Switch the Auto Scaling Group to use a launch template." + } + ], + "adviseBeforeFixFunction": "Ensure the launch template is properly configured before associating it with the Auto Scaling Group." + }, { + "name": "CloudFrontAccessLogsEnabled", + "description": "Ensures that access logging is enabled for CloudFront distributions.", + "priority": 2, + "priorityReason": "Access logs help monitor and analyze distribution traffic.", + "awsService": "CloudFront", + "awsServiceCategory": "Content Delivery Network", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "s3BucketName", + "description": "The name of the S3 bucket to store access logs.", + "default": "", + "example": "my-cloudfront-logs-bucket" + }, + { + "name": "s3BucketPrefix", + "description": "The prefix for the access logs in the S3 bucket.", + "default": "", + "example": "CloudFront/logs/" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetDistributionCommand", + "reason": "Retrieve the configuration of CloudFront distributions to check logging status." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateDistributionCommand", + "reason": "Enable access logging and configure the S3 bucket for the CloudFront distribution." + } + ], + "adviseBeforeFixFunction": "Ensure the S3 bucket exists and has the necessary permissions to receive access logs." + }, + { + "name": "CloudFrontAssociatedWithWAF", + "description": "Ensures that CloudFront distributions are associated with a WAF WebACL.", + "priority": 1, + "priorityReason": "WAF protects the distribution from known vulnerabilities and attacks.", + "awsService": "CloudFront", + "awsServiceCategory": "Content Delivery Network", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "webAclArn", + "description": "The ARN of the WAF WebACL to associate with the CloudFront distribution.", + "default": "", + "example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetDistributionCommand", + "reason": "Retrieve the configuration of CloudFront distributions to check for WAF WebACL association." + } + ], + "commandUsedInFixFunction": [ + { + "name": "AssociateWebACLCommand", + "reason": "Associate a WAF WebACL with the CloudFront distribution." + } + ], + "adviseBeforeFixFunction": "Ensure the WAF WebACL is properly configured before associating it." + }, + { + "name": "CloudFrontDefaultRootObjectConfigured", + "description": "Ensures that a default root object is configured for CloudFront distributions.", + "priority": 3, + "priorityReason": "A default root object improves user experience by serving content for root domain requests.", + "awsService": "CloudFront", + "awsServiceCategory": "Content Delivery Network", + "bestPracticeCategory": "Configuration", + "requiredParametersForFix": [ + { + "name": "defaultRootObject", + "description": "The default root object to configure for the CloudFront distribution.", + "default": "index.html", + "example": "index.html" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetDistributionCommand", + "reason": "Retrieve the configuration of CloudFront distributions to check for a default root object." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateDistributionCommand", + "reason": "Set a default root object for the CloudFront distribution." + } + ], + "adviseBeforeFixFunction": "Ensure the specified root object exists in the origin bucket or server." + }, + { + "name": "CloudFrontNoDeprecatedSSLProtocols", + "description": "Ensures that deprecated SSL protocols like SSLv3 are not enabled for CloudFront distributions.", + "priority": 1, + "priorityReason": "Deprecated SSL protocols pose security risks and should be disabled.", + "awsService": "CloudFront", + "awsServiceCategory": "Content Delivery Network", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetDistributionCommand", + "reason": "Retrieve the configuration of CloudFront distributions to check SSL protocols." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateDistributionCommand", + "reason": "Update the SSL protocol settings to disable deprecated protocols." + } + ], + "adviseBeforeFixFunction": "Ensure the change aligns with your application's SSL requirements." + }, + { + "name": "CloudFrontViewerPolicyHTTPS", + "description": "Ensures that viewer protocol policies enforce HTTPS for all CloudFront distributions.", + "priority": 1, + "priorityReason": "Enforcing HTTPS ensures secure communication between the client and the distribution.", + "awsService": "CloudFront", + "awsServiceCategory": "Content Delivery Network", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetDistributionCommand", + "reason": "Retrieve the configuration of CloudFront distributions to check viewer protocol policies." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateDistributionCommand", + "reason": "Update viewer protocol policies to enforce HTTPS for all behaviors." + } + ], + "adviseBeforeFixFunction": "Ensure all origins are configured to accept HTTPS traffic." + },{ + "name": "CloudWatchLogGroupRetentionPeriodCheck", + "description": "Ensures that CloudWatch log groups have a retention period set.", + "priority": 2, + "priorityReason": "Setting a retention period ensures that logs do not accumulate indefinitely, which helps manage storage costs.", + "awsService": "CloudWatch", + "awsServiceCategory": "Log Groups", + "bestPracticeCategory": "Cost Management", + "requiredParametersForFix": [ + { + "name": "retentionInDays", + "description": "The retention period in days for the log group.", + "default": "30", + "example": "7" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeLogGroupsCommand", + "reason": "Retrieve information about CloudWatch log groups to check their retention period." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutRetentionPolicyCommand", + "reason": "Set the retention period for the CloudWatch log group." + } + ], + "adviseBeforeFixFunction": "Ensure the chosen retention period meets compliance and data retention policies." + }, + { + "name": "CloudWatchAlarmSettingsCheck", + "description": "Ensures that CloudWatch alarms are configured with the required settings.", + "priority": 3, + "priorityReason": "Properly configured alarms ensure timely monitoring and response to system events.", + "awsService": "CloudWatch", + "awsServiceCategory": "Alarms", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "alarmParameters", + "description": "The required parameters to configure the alarm properly.", + "default": "{}", + "example": "{\"MetricName\": \"CPUUtilization\", \"Threshold\": 80, \"ComparisonOperator\": \"GreaterThanOrEqualToThreshold\"}" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeAlarmsCommand", + "reason": "Retrieve CloudWatch alarm configurations to check for required parameters." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutMetricAlarmCommand", + "reason": "Update the alarm settings to match the required configuration." + } + ], + "adviseBeforeFixFunction": "Ensure the specified metric and parameters align with the monitoring objectives." + }, + { + "name": "CodeBuildProjectEnvironmentPrivilegedCheck", + "description": "Ensures that CodeBuild projects do not have privileged mode enabled in their environment.", + "priority": 1, + "priorityReason": "Privileged mode can pose a security risk by allowing unrestricted access to resources.", + "awsService": "CodeBuild", + "awsServiceCategory": "Build Projects", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "BatchGetProjectsCommand", + "reason": "Retrieve CodeBuild project configurations to check for privileged mode." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateProjectCommand", + "reason": "Disable privileged mode for the CodeBuild project." + } + ], + "adviseBeforeFixFunction": "Ensure that privileged mode is not required for specific build operations." + }, + { + "name": "CodeBuildProjectLoggingEnabled", + "description": "Ensures that CodeBuild projects have logging enabled to CloudWatch or S3.", + "priority": 2, + "priorityReason": "Logs help monitor and debug the build process.", + "awsService": "CodeBuild", + "awsServiceCategory": "Build Projects", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "logGroupArn", + "description": "The ARN of the CloudWatch Log Group to store build logs.", + "default": "", + "example": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/logs:*" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "BatchGetProjectsCommand", + "reason": "Retrieve CodeBuild project configurations to check for logging settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateProjectCommand", + "reason": "Enable logging for the CodeBuild project." + } + ], + "adviseBeforeFixFunction": "Ensure the specified CloudWatch Log Group exists and has necessary permissions." + }, + { + "name": "CodeDeployAutoRollbackMonitorEnabled", + "description": "Ensures that CodeDeploy deployment groups have monitoring alarms and auto-rollback enabled.", + "priority": 1, + "priorityReason": "Monitoring alarms and auto-rollback reduce the risk of failed deployments impacting production.", + "awsService": "CodeDeploy", + "awsServiceCategory": "Deployment Groups", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [ + { + "name": "alarmConfiguration", + "description": "Configuration for CloudWatch alarms to monitor during deployments.", + "default": "{}", + "example": "{\"enabled\": true, \"alarms\": [{\"name\": \"HighErrorRate\"}]}" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListDeploymentGroupsCommand", + "reason": "Retrieve deployment groups to check for alarm and rollback configuration." + }, + { + "name": "BatchGetDeploymentGroupsCommand", + "reason": "Fetch detailed configuration of the deployment groups." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateDeploymentGroupCommand", + "reason": "Enable monitoring alarms and auto-rollback for the deployment group." + } + ], + "adviseBeforeFixFunction": "Ensure the monitoring alarms are set up and configured properly." + }, + { + "name": "DynamoDBAutoscalingEnabled", + "description": "Ensures that DynamoDB tables have autoscaling enabled for read and write capacity.", + "priority": 1, + "priorityReason": "Autoscaling ensures the table can handle varying workloads without manual intervention.", + "awsService": "DynamoDB", + "awsServiceCategory": "NoSQL Database", + "bestPracticeCategory": "Performance", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTableCommand", + "reason": "Retrieve table information to check billing mode and autoscaling policies." + }, + { + "name": "DescribeScalingPoliciesCommand", + "reason": "Check for existing autoscaling policies for the table." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutScalingPolicyCommand", + "reason": "Create or update autoscaling policies for the table." + } + ], + "adviseBeforeFixFunction": "Ensure the workload patterns are well understood to configure autoscaling appropriately." + }, + { + "name": "DynamoDBLastBackupRecoveryPointCreated", + "description": "Ensures that DynamoDB tables have a recent backup or recovery point created within the last 24 hours.", + "priority": 1, + "priorityReason": "Frequent backups ensure data recovery in case of accidental deletion or corruption.", + "awsService": "DynamoDB", + "awsServiceCategory": "NoSQL Database", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListBackupsCommand", + "reason": "Retrieve the list of backups for the table to check for recent recovery points." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateBackupCommand", + "reason": "Create a new backup for the DynamoDB table." + } + ], + "adviseBeforeFixFunction": "Ensure that backup policies are aligned with organizational data retention requirements." + }, + { + "name": "DynamoDBPITREnabled", + "description": "Ensures that Point-In-Time Recovery (PITR) is enabled for DynamoDB tables.", + "priority": 2, + "priorityReason": "PITR allows recovery to any point in the last 35 days, enhancing resilience against accidental data loss.", + "awsService": "DynamoDB", + "awsServiceCategory": "NoSQL Database", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeContinuousBackupsCommand", + "reason": "Retrieve table information to check if PITR is enabled." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateContinuousBackupsCommand", + "reason": "Enable Point-In-Time Recovery for the table." + } + ], + "adviseBeforeFixFunction": "Ensure PITR is enabled only on tables requiring this feature to manage costs." + }, + { + "name": "DynamoDBTableDeletionProtectionEnabled", + "description": "Ensures that deletion protection is enabled for DynamoDB tables.", + "priority": 1, + "priorityReason": "Deletion protection prevents accidental deletion of critical tables.", + "awsService": "DynamoDB", + "awsServiceCategory": "NoSQL Database", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTableCommand", + "reason": "Retrieve table information to check deletion protection settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateTableCommand", + "reason": "Enable deletion protection for the table." + } + ], + "adviseBeforeFixFunction": "Ensure deletion protection aligns with the operational requirements of the application." + }, + { + "name": "DynamoDBTableEncryptedKMS", + "description": "Ensures that DynamoDB tables are encrypted using KMS keys.", + "priority": 1, + "priorityReason": "KMS encryption protects sensitive data stored in DynamoDB tables.", + "awsService": "DynamoDB", + "awsServiceCategory": "NoSQL Database", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "kmsKeyId", + "description": "The ID of the KMS key to use for encrypting the table.", + "default": "", + "example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTableCommand", + "reason": "Retrieve table information to check encryption settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateTableCommand", + "reason": "Enable encryption using the specified KMS key." + } + ], + "adviseBeforeFixFunction": "Ensure the specified KMS key is accessible and properly configured." + }, + { + "name": "EC2EBSVolumeEncryptionEnabled", + "description": "Ensures that all EBS volumes are encrypted.", + "priority": 1, + "priorityReason": "Encryption protects sensitive data at rest.", + "awsService": "EC2", + "awsServiceCategory": "Elastic Block Store (EBS)", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "kmsKeyId", + "description": "The KMS key ID to use for encryption.", + "default": "", + "example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeVolumesCommand", + "reason": "Retrieve information about EBS volumes to check encryption status." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyVolumeCommand", + "reason": "Enable encryption for the EBS volume using the specified KMS key." + } + ], + "adviseBeforeFixFunction": "Ensure the KMS key is accessible and properly configured for encryption." + }, + { + "name": "EC2IMDSv2Required", + "description": "Ensures that all EC2 instances require IMDSv2 for enhanced security.", + "priority": 1, + "priorityReason": "IMDSv2 mitigates vulnerabilities related to metadata exploitation.", + "awsService": "EC2", + "awsServiceCategory": "Instances", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeInstancesCommand", + "reason": "Retrieve metadata settings of EC2 instances to check IMDS version enforcement." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyInstanceMetadataOptionsCommand", + "reason": "Enforce IMDSv2 on the EC2 instance." + } + ], + "adviseBeforeFixFunction": "Ensure that enforcing IMDSv2 will not disrupt any existing services relying on metadata." + }, + { + "name": "EC2DetailedMonitoringEnabled", + "description": "Ensures that detailed monitoring is enabled for all EC2 instances.", + "priority": 2, + "priorityReason": "Detailed monitoring provides granular metrics for better operational visibility.", + "awsService": "EC2", + "awsServiceCategory": "Instances", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeInstancesCommand", + "reason": "Retrieve monitoring settings for EC2 instances." + } + ], + "commandUsedInFixFunction": [ + { + "name": "MonitorInstancesCommand", + "reason": "Enable detailed monitoring for the EC2 instance." + } + ], + "adviseBeforeFixFunction": "Ensure enabling detailed monitoring aligns with cost considerations." + }, + { + "name": "EC2InstanceProfileAttached", + "description": "Ensures that all EC2 instances have an IAM instance profile attached.", + "priority": 2, + "priorityReason": "IAM instance profiles enable secure access to AWS services from EC2 instances.", + "awsService": "EC2", + "awsServiceCategory": "Instances", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "instanceProfileName", + "description": "The name of the IAM instance profile to attach.", + "default": "", + "example": "EC2InstanceProfile" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeInstancesCommand", + "reason": "Check if IAM instance profiles are attached to EC2 instances." + } + ], + "commandUsedInFixFunction": [ + { + "name": "AssociateIamInstanceProfileCommand", + "reason": "Attach an IAM instance profile to the EC2 instance." + } + ], + "adviseBeforeFixFunction": "Ensure the IAM instance profile has the required policies attached." + }, + { + "name": "EC2StoppedInstance", + "description": "Ensures that unused stopped EC2 instances are terminated.", + "priority": 1, + "priorityReason": "Terminating stopped instances reduces costs and frees up resources.", + "awsService": "EC2", + "awsServiceCategory": "Instances", + "bestPracticeCategory": "Cost Management", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeInstancesCommand", + "reason": "Identify stopped EC2 instances." + } + ], + "commandUsedInFixFunction": [ + { + "name": "TerminateInstancesCommand", + "reason": "Terminate unused stopped EC2 instances." + } + ], + "adviseBeforeFixFunction": "Ensure that the stopped instances are no longer needed before terminating them." + }, + { + "name": "ECRPrivateImageScanningEnabled", + "description": "Ensures that image scanning on push is enabled for ECR repositories.", + "priority": 1, + "priorityReason": "Enabling image scanning on push helps identify vulnerabilities in container images.", + "awsService": "ECR", + "awsServiceCategory": "Container Registry", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeRepositoriesCommand", + "reason": "Retrieve repository configurations to check if image scanning on push is enabled." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutImageScanningConfigurationCommand", + "reason": "Enable image scanning on push for the repository." + } + ], + "adviseBeforeFixFunction": "Ensure the repository content complies with scanning requirements." + }, + { + "name": "ECRPrivateLifecyclePolicyConfigured", + "description": "Ensures that lifecycle policies are configured for ECR repositories.", + "priority": 2, + "priorityReason": "Lifecycle policies help manage repository storage by automatically removing unneeded images.", + "awsService": "ECR", + "awsServiceCategory": "Container Registry", + "bestPracticeCategory": "Cost Management", + "requiredParametersForFix": [ + { + "name": "lifecyclePolicyText", + "description": "The JSON-formatted lifecycle policy text.", + "default": "", + "example": "{\"rules\": [{\"rulePriority\": 1, \"description\": \"Keep only recent images\", \"selection\": {\"tagStatus\": \"untagged\", \"countType\": \"imageCountMoreThan\", \"countNumber\": 10, \"tagPrefixList\": []}, \"action\": {\"type\": \"expire\"}}]}" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetLifecyclePolicyCommand", + "reason": "Check if a lifecycle policy is configured for the repository." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutLifecyclePolicyCommand", + "reason": "Configure a lifecycle policy for the repository." + } + ], + "adviseBeforeFixFunction": "Ensure the lifecycle policy aligns with retention requirements." + }, + { + "name": "ECRPrivateTagImmutabilityEnabled", + "description": "Ensures that tag immutability is enabled for ECR repositories.", + "priority": 2, + "priorityReason": "Tag immutability prevents overwriting tags, ensuring image stability and integrity.", + "awsService": "ECR", + "awsServiceCategory": "Container Registry", + "bestPracticeCategory": "Configuration", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeRepositoriesCommand", + "reason": "Retrieve repository configurations to check if tag immutability is enabled." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutImageTagMutabilityCommand", + "reason": "Enable tag immutability for the repository." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling tag immutability does not disrupt existing workflows." + }, + { + "name": "ECRKmsEncryption", + "description": "Ensures that ECR repositories are encrypted using KMS keys.", + "priority": 1, + "priorityReason": "KMS encryption secures sensitive container images at rest.", + "awsService": "ECR", + "awsServiceCategory": "Container Registry", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "kmsKeyId", + "description": "The ID of the KMS key to use for encryption.", + "default": "", + "example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeRepositoriesCommand", + "reason": "Retrieve repository configurations to check encryption settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutRepositoryPolicyCommand", + "reason": "Enable encryption for the repository using the specified KMS key." + } + ], + "adviseBeforeFixFunction": "Ensure the KMS key is properly configured and accessible." + }, + + { + "name": "ECSAwsvpcNetworkingEnabled", + "description": "Ensures that ECS task definitions use the `awsvpc` networking mode.", + "priority": 2, + "priorityReason": "Using the `awsvpc` networking mode provides each task with its own elastic network interface, improving network isolation.", + "awsService": "ECS", + "awsServiceCategory": "Task Definitions", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTaskDefinitionCommand", + "reason": "Retrieve task definition details to check the networking mode." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RegisterTaskDefinitionCommand", + "reason": "Update the task definition to use the `awsvpc` networking mode." + } + ], + "adviseBeforeFixFunction": "Ensure the ECS cluster and tasks are configured to support `awsvpc` networking mode." + }, + { + "name": "ECSContainersNonPrivileged", + "description": "Ensures that ECS containers do not run in privileged mode.", + "priority": 1, + "priorityReason": "Privileged mode can give containers elevated access to the host system, posing a security risk.", + "awsService": "ECS", + "awsServiceCategory": "Task Definitions", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTaskDefinitionCommand", + "reason": "Retrieve task definition details to check container privilege settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RegisterTaskDefinitionCommand", + "reason": "Update the task definition to disable privileged mode." + } + ], + "adviseBeforeFixFunction": "Ensure the containers do not require privileged mode for their operations." + }, + { + "name": "ECSContainersReadOnlyAccess", + "description": "Ensures that ECS containers have a read-only root filesystem where applicable.", + "priority": 1, + "priorityReason": "A read-only root filesystem limits the ability of attackers to modify the system and improves security.", + "awsService": "ECS", + "awsServiceCategory": "Task Definitions", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTaskDefinitionCommand", + "reason": "Retrieve task definition details to check root filesystem settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RegisterTaskDefinitionCommand", + "reason": "Update the task definition to enable a read-only root filesystem." + } + ], + "adviseBeforeFixFunction": "Verify that containers can operate with a read-only root filesystem." + }, + { + "name": "ECSContainerInsightsEnabled", + "description": "Ensures that ECS clusters have Container Insights enabled.", + "priority": 2, + "priorityReason": "Container Insights provides detailed monitoring metrics and logs for ECS clusters and services.", + "awsService": "ECS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeClustersCommand", + "reason": "Retrieve ECS cluster configurations to check for Container Insights settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateClusterSettingsCommand", + "reason": "Enable Container Insights for the ECS cluster." + } + ], + "adviseBeforeFixFunction": "Ensure CloudWatch is configured to receive metrics and logs from Container Insights." + }, + { + "name": "ECSTaskDefinitionLogConfiguration", + "description": "Ensures that ECS task definitions include a log configuration.", + "priority": 1, + "priorityReason": "Log configuration ensures that container logs are sent to a centralized logging service such as CloudWatch.", + "awsService": "ECS", + "awsServiceCategory": "Task Definitions", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "logDriver", + "description": "The log driver to use for the task definition.", + "default": "awslogs", + "example": "awslogs" + }, + { + "name": "logOptions", + "description": "The options for the log driver, such as log group name and region.", + "default": "{}", + "example": "{\"awslogs-group\": \"/ecs/example\", \"awslogs-region\": \"us-east-1\"}" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTaskDefinitionCommand", + "reason": "Retrieve task definition details to check for log configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RegisterTaskDefinitionCommand", + "reason": "Update the task definition to include a log configuration." + } + ], + "adviseBeforeFixFunction": "Ensure the log group exists and is configured to receive logs." + }, + { + "name": "ECSTaskDefinitionMemoryHardLimit", + "description": "Ensures that ECS containers specify a memory hard limit in the task definition.", + "priority": 1, + "priorityReason": "Specifying a memory hard limit prevents containers from consuming excessive memory, protecting other processes.", + "awsService": "ECS", + "awsServiceCategory": "Task Definitions", + "bestPracticeCategory": "Performance", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTaskDefinitionCommand", + "reason": "Retrieve task definition details to check memory limit settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RegisterTaskDefinitionCommand", + "reason": "Update the task definition to specify a memory hard limit." + } + ], + "adviseBeforeFixFunction": "Ensure containers are tested with the specified memory limits." + }, + { + "name": "ECSTaskDefinitionNonRootUser", + "description": "Ensures that ECS containers run as a non-root user.", + "priority": 1, + "priorityReason": "Running containers as a non-root user reduces the risk of privilege escalation attacks.", + "awsService": "ECS", + "awsServiceCategory": "Task Definitions", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "user", + "description": "The user to run the container as.", + "default": "", + "example": "appuser" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTaskDefinitionCommand", + "reason": "Retrieve task definition details to check the container user settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RegisterTaskDefinitionCommand", + "reason": "Update the task definition to run the container as a non-root user." + } + ], + "adviseBeforeFixFunction": "Ensure the application can run with non-root permissions." + }, + { + "name": "EFSAccessPointEnforceRootDirectory", + "description": "Ensures that EFS access points enforce a non-root directory for enhanced security.", + "priority": 2, + "priorityReason": "Restricting access to specific directories reduces the risk of data exposure.", + "awsService": "EFS", + "awsServiceCategory": "Access Points", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "path", + "description": "The path to enforce as the root directory for the access point.", + "default": "/data", + "example": "/data" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeAccessPointsCommand", + "reason": "Retrieve information about EFS access points to check their root directory configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateAccessPointCommand", + "reason": "Reconfigure the access point to enforce a specific root directory." + } + ], + "adviseBeforeFixFunction": "Ensure that the directory path is properly configured and exists in the file system." + }, + { + "name": "EFSAccessPointEnforceUserIdentity", + "description": "Ensures that EFS access points enforce a user identity for operations.", + "priority": 2, + "priorityReason": "Enforcing a user identity ensures accountability and proper access control.", + "awsService": "EFS", + "awsServiceCategory": "Access Points", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "posixUser", + "description": "The POSIX user configuration to enforce on the access point.", + "default": "{}", + "example": "{\"Uid\": 1001, \"Gid\": 1001, \"SecondaryGids\": [1002]}" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeAccessPointsCommand", + "reason": "Retrieve access point details to check POSIX user settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateAccessPointCommand", + "reason": "Reconfigure the access point to enforce a user identity." + } + ], + "adviseBeforeFixFunction": "Ensure the specified POSIX user is valid and properly configured in the file system." + }, + { + "name": "EFSAutomaticBackupsEnabled", + "description": "Ensures that automatic backups are enabled for EFS file systems.", + "priority": 1, + "priorityReason": "Automatic backups ensure data recovery in case of accidental deletion or corruption.", + "awsService": "EFS", + "awsServiceCategory": "File Systems", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeBackupPolicyCommand", + "reason": "Check the backup policy for EFS file systems." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutBackupPolicyCommand", + "reason": "Enable automatic backups for the file system." + } + ], + "adviseBeforeFixFunction": "Verify backup retention policies align with organizational requirements." + }, + { + "name": "EFSEncryptedCheck", + "description": "Ensures that EFS file systems are encrypted at rest.", + "priority": 1, + "priorityReason": "Encryption at rest protects sensitive data stored in EFS file systems.", + "awsService": "EFS", + "awsServiceCategory": "File Systems", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeFileSystemsCommand", + "reason": "Check if the file systems are encrypted." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateFileSystemCommand", + "reason": "Recreate the file system with encryption enabled." + } + ], + "adviseBeforeFixFunction": "Ensure data migration is planned before recreating the file system with encryption." + }, + { + "name": "EFSMountTargetPublicAccessible", + "description": "Ensures that EFS mount targets are not publicly accessible.", + "priority": 1, + "priorityReason": "Restricting public access prevents unauthorized access to file systems.", + "awsService": "EFS", + "awsServiceCategory": "Mount Targets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeMountTargetsCommand", + "reason": "Retrieve information about mount targets to check public accessibility." + }, + { + "name": "DescribeRouteTablesCommand", + "reason": "Check if mount targets are associated with routes exposing them publicly." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyMountTargetSecurityGroupsCommand", + "reason": "Restrict access to the mount target by updating security groups." + } + ], + "adviseBeforeFixFunction": "Ensure the security group rules align with organizational access policies." + }, + { + "name": "EKSClusterLoggingEnabled", + "description": "Ensures that EKS clusters have all logging types enabled.", + "priority": 2, + "priorityReason": "Enabling cluster logging ensures better monitoring, troubleshooting, and compliance.", + "awsService": "EKS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeClusterCommand", + "reason": "Retrieve cluster details to check logging configurations." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateClusterConfigCommand", + "reason": "Enable all available logging types for the EKS cluster." + } + ], + "adviseBeforeFixFunction": "Ensure enabling logging will not impact current cluster performance or cost significantly." + }, + { + "name": "EKSClusterSecretsEncrypted", + "description": "Ensures that EKS clusters use KMS encryption for secrets.", + "priority": 1, + "priorityReason": "Encrypting secrets enhances security and meets compliance requirements.", + "awsService": "EKS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "kmsKeyArn", + "description": "The ARN of the KMS key to use for secrets encryption.", + "default": "", + "example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeClusterCommand", + "reason": "Check if the cluster has encryption enabled for secrets." + } + ], + "commandUsedInFixFunction": [ + { + "name": "AssociateEncryptionConfigCommand", + "reason": "Add encryption configuration to the EKS cluster." + } + ], + "adviseBeforeFixFunction": "Ensure the specified KMS key is available and properly configured for the cluster." + }, + { + "name": "EKSEndpointNoPublicAccess", + "description": "Ensures that EKS cluster endpoints are not publicly accessible.", + "priority": 1, + "priorityReason": "Restricting public access prevents unauthorized access to the cluster.", + "awsService": "EKS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeClusterCommand", + "reason": "Retrieve cluster endpoint configuration to check public access settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateClusterConfigCommand", + "reason": "Disable public access for the cluster endpoint." + } + ], + "adviseBeforeFixFunction": "Ensure private access is properly configured before disabling public access." + }, + { + "name": "ElastiCacheAutoMinorVersionUpgradeCheck", + "description": "Ensures that Auto Minor Version Upgrade is enabled for ElastiCache clusters.", + "priority": 2, + "priorityReason": "Keeping clusters updated with minor versions ensures they receive the latest security patches and bug fixes.", + "awsService": "ElastiCache", + "awsServiceCategory": "Cache Clusters", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeCacheClustersCommand", + "reason": "Retrieve cluster configurations to check Auto Minor Version Upgrade settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyCacheClusterCommand", + "reason": "Enable Auto Minor Version Upgrade for the cluster." + } + ], + "adviseBeforeFixFunction": "Ensure enabling minor version upgrades aligns with application compatibility." + }, + { + "name": "ElastiCacheRedisClusterAutomaticBackupCheck", + "description": "Ensures that automatic backups are enabled for ElastiCache Redis clusters.", + "priority": 1, + "priorityReason": "Automatic backups are crucial for data recovery in case of accidental deletion or corruption.", + "awsService": "ElastiCache", + "awsServiceCategory": "Redis", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [ + { + "name": "snapshotRetentionLimit", + "description": "The number of days to retain backups.", + "default": "7", + "example": "7" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeReplicationGroupsCommand", + "reason": "Check if automatic backups are enabled for replication groups." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyReplicationGroupCommand", + "reason": "Enable automatic backups for the Redis replication group." + } + ], + "adviseBeforeFixFunction": "Verify the snapshot retention policy aligns with organizational recovery requirements." + }, + { + "name": "ElastiCacheReplicationGroupAutoFailoverEnabled", + "description": "Ensures that Auto Failover is enabled for ElastiCache replication groups.", + "priority": 1, + "priorityReason": "Auto Failover ensures high availability and reduces downtime during node failures.", + "awsService": "ElastiCache", + "awsServiceCategory": "Replication Groups", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeReplicationGroupsCommand", + "reason": "Retrieve replication group configurations to check Auto Failover settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyReplicationGroupCommand", + "reason": "Enable Auto Failover for the replication group." + } + ], + "adviseBeforeFixFunction": "Ensure enabling Auto Failover aligns with application high availability requirements." + }, + { + "name": "ElastiCacheReplicationGroupEncryptedAtRest", + "description": "Ensures that ElastiCache replication groups are encrypted at rest.", + "priority": 1, + "priorityReason": "Encryption at rest protects sensitive data stored in ElastiCache from unauthorized access.", + "awsService": "ElastiCache", + "awsServiceCategory": "Replication Groups", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeReplicationGroupsCommand", + "reason": "Check if encryption at rest is enabled for replication groups." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateReplicationGroupCommand", + "reason": "Recreate the replication group with encryption enabled." + } + ], + "adviseBeforeFixFunction": "Ensure data migration and application downtime are planned before recreating the replication group." + }, + { + "name": "ElastiCacheReplicationGroupEncryptedInTransit", + "description": "Ensures that ElastiCache replication groups are encrypted in transit.", + "priority": 1, + "priorityReason": "Encryption in transit protects data from unauthorized access during transmission.", + "awsService": "ElastiCache", + "awsServiceCategory": "Replication Groups", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeReplicationGroupsCommand", + "reason": "Check if encryption in transit is enabled for replication groups." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateReplicationGroupCommand", + "reason": "Recreate the replication group with encryption in transit enabled." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling encryption in transit does not disrupt application connectivity." + }, + { + "name": "ElastiCacheSubnetGroupCheck", + "description": "Ensures that ElastiCache clusters are not using the default subnet group.", + "priority": 2, + "priorityReason": "Using a custom subnet group ensures better control over network configurations.", + "awsService": "ElastiCache", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Configuration", + "requiredParametersForFix": [ + { + "name": "subnetGroupName", + "description": "The name of the custom subnet group to use.", + "default": "", + "example": "custom-subnet-group" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeCacheClustersCommand", + "reason": "Retrieve cluster configurations to check subnet group settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyCacheClusterCommand", + "reason": "Update the cluster to use a custom subnet group." + } + ], + "adviseBeforeFixFunction": "Ensure the custom subnet group is properly configured and meets network requirements." + }, + { + "name": "IAMPolicyNoStatementsWithAdminAccess", + "description": "Ensures that IAM policies do not contain statements granting full administrative access.", + "priority": 1, + "priorityReason": "Granting full administrative access violates the principle of least privilege and poses a security risk.", + "awsService": "IAM", + "awsServiceCategory": "Policies", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListPoliciesCommand", + "reason": "Retrieve the list of local IAM policies." + }, + { + "name": "GetPolicyVersionCommand", + "reason": "Retrieve the default version of IAM policies to analyze their statements." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreatePolicyVersionCommand", + "reason": "Create a new policy version with restricted permissions." + }, + { + "name": "SetDefaultPolicyVersionCommand", + "reason": "Set the new policy version as the default." + } + ], + "adviseBeforeFixFunction": "Review the policy requirements to ensure removing administrative access will not disrupt operations." + }, + { + "name": "IAMPolicyNoStatementsWithFullAccess", + "description": "Ensures that IAM policies do not contain statements granting full access to specific services.", + "priority": 1, + "priorityReason": "Granting full access to specific services can lead to unintentional misuse or privilege escalation.", + "awsService": "IAM", + "awsServiceCategory": "Policies", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListPoliciesCommand", + "reason": "Retrieve the list of local IAM policies." + }, + { + "name": "GetPolicyVersionCommand", + "reason": "Retrieve the default version of IAM policies to analyze their statements." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreatePolicyVersionCommand", + "reason": "Create a new policy version with restricted permissions." + }, + { + "name": "SetDefaultPolicyVersionCommand", + "reason": "Set the new policy version as the default." + } + ], + "adviseBeforeFixFunction": "Review the policy requirements to ensure removing full access permissions will not disrupt operations." + }, + { + "name": "IAMRoleManagedPolicyCheck", + "description": "Ensures that managed policies are attached to IAM roles, groups, or users.", + "priority": 2, + "priorityReason": "Attaching managed policies ensures consistent permissions and simplifies policy management.", + "awsService": "IAM", + "awsServiceCategory": "Roles", + "bestPracticeCategory": "Configuration", + "requiredParametersForFix": [ + { + "name": "roleName", + "description": "The name of the IAM role to attach the managed policy to.", + "default": "", + "example": "MyRole" + }, + { + "name": "policyArn", + "description": "The ARN of the managed policy to attach.", + "default": "", + "example": "arn:aws:iam::aws:policy/ReadOnlyAccess" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListPoliciesCommand", + "reason": "Retrieve the list of managed IAM policies." + }, + { + "name": "ListEntitiesForPolicyCommand", + "reason": "Check which entities are attached to each managed policy." + } + ], + "commandUsedInFixFunction": [ + { + "name": "AttachRolePolicyCommand", + "reason": "Attach a managed policy to an IAM role." + } + ], + "adviseBeforeFixFunction": "Ensure the managed policy aligns with the role's intended permissions." + }, + { + "name": "LambdaDLQCheck", + "description": "Ensures that AWS Lambda functions have a Dead Letter Queue (DLQ) configured.", + "priority": 2, + "priorityReason": "Configuring a DLQ ensures that failed Lambda invocations are captured for troubleshooting and analysis.", + "awsService": "Lambda", + "awsServiceCategory": "Functions", + "bestPracticeCategory": "Reliability", + "requiredParametersForFix": [ + { + "name": "dlqArn", + "description": "The ARN of the Dead Letter Queue to configure.", + "default": "", + "example": "arn:aws:sqs:us-east-1:123456789012:MyDLQ" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListFunctionsCommand", + "reason": "Retrieve the list of Lambda functions to check for DLQ configurations." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateFunctionConfigurationCommand", + "reason": "Configure a Dead Letter Queue for the Lambda function." + } + ], + "adviseBeforeFixFunction": "Ensure the DLQ exists and has the appropriate permissions to receive failed messages." + }, + { + "name": "LambdaFunctionPublicAccessProhibited", + "description": "Ensures that AWS Lambda functions are not publicly accessible.", + "priority": 1, + "priorityReason": "Publicly accessible Lambda functions can lead to security vulnerabilities and unauthorized usage.", + "awsService": "Lambda", + "awsServiceCategory": "Functions", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetPolicyCommand", + "reason": "Retrieve the Lambda function's resource-based policy to check for public access." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RemovePermissionCommand", + "reason": "Remove any permissions that grant public access to the Lambda function." + } + ], + "adviseBeforeFixFunction": "Verify that removing public access will not disrupt intended functionality." + }, + { + "name": "LambdaFunctionSettingsCheck", + "description": "Ensures that AWS Lambda functions do not use default settings for timeout and memory.", + "priority": 2, + "priorityReason": "Customizing timeout and memory settings optimizes function performance and cost.", + "awsService": "Lambda", + "awsServiceCategory": "Functions", + "bestPracticeCategory": "Performance", + "requiredParametersForFix": [ + { + "name": "timeout", + "description": "The timeout duration (in seconds) for the Lambda function.", + "default": "15", + "example": "15" + }, + { + "name": "memorySize", + "description": "The memory size (in MB) allocated to the Lambda function.", + "default": "256", + "example": "256" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListFunctionsCommand", + "reason": "Retrieve the list of Lambda functions to check their settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateFunctionConfigurationCommand", + "reason": "Update the function's timeout and memory settings." + } + ], + "adviseBeforeFixFunction": "Ensure the updated settings align with the function's performance and cost requirements." + }, + { + "name": "LambdaInsideVPC", + "description": "Ensures that AWS Lambda functions are configured to run inside a VPC.", + "priority": 1, + "priorityReason": "Running Lambda functions inside a VPC provides additional security and control over network traffic.", + "awsService": "Lambda", + "awsServiceCategory": "Functions", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "subnetIds", + "description": "The subnet IDs for the Lambda function to use.", + "default": "", + "example": "subnet-12345678,subnet-87654321" + }, + { + "name": "securityGroupIds", + "description": "The security group IDs for the Lambda function to use.", + "default": "", + "example": "sg-12345678,sg-87654321" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListFunctionsCommand", + "reason": "Retrieve the list of Lambda functions to check their VPC configurations." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateFunctionConfigurationCommand", + "reason": "Configure the function to use a VPC." + } + ], + "adviseBeforeFixFunction": "Ensure the specified subnets and security groups are configured correctly and have necessary permissions." + }, + { + "name": "AuroraLastBackupRecoveryPointCreated", + "description": "Ensures that Aurora DB clusters have a recent recovery point created.", + "priority": 1, + "priorityReason": "Recent backups ensure data recovery in case of accidental deletion or corruption.", + "awsService": "RDS", + "awsServiceCategory": "Aurora Clusters", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeDBClustersCommand", + "reason": "Retrieve the list of Aurora DB clusters." + }, + { + "name": "DescribeDBClusterSnapshotsCommand", + "reason": "Check the most recent recovery point for each cluster." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateDBClusterSnapshotCommand", + "reason": "Create a new recovery point for the Aurora DB cluster." + } + ], + "adviseBeforeFixFunction": "Ensure the DB cluster is in a stable state before creating a snapshot." + }, + { + "name": "AuroraMySQLBacktrackingEnabled", + "description": "Ensures that backtracking is enabled for Aurora MySQL clusters.", + "priority": 2, + "priorityReason": "Backtracking allows quick recovery from accidental data modifications.", + "awsService": "RDS", + "awsServiceCategory": "Aurora Clusters", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [ + { + "name": "backtrackWindow", + "description": "The backtracking window in seconds.", + "default": "86400", + "example": "86400" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeDBClustersCommand", + "reason": "Retrieve the list of Aurora MySQL clusters and check their backtracking configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyDBClusterCommand", + "reason": "Enable backtracking for the Aurora MySQL cluster." + } + ], + "adviseBeforeFixFunction": "Ensure enabling backtracking does not disrupt the current cluster configuration." + }, + { + "name": "DBInstanceBackupEnabled", + "description": "Ensures that backups are enabled for RDS instances.", + "priority": 1, + "priorityReason": "Enabling backups is critical for disaster recovery and data protection.", + "awsService": "RDS", + "awsServiceCategory": "Instances", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [ + { + "name": "backupRetentionPeriod", + "description": "The number of days to retain automated backups.", + "default": "7", + "example": "7" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeDBInstancesCommand", + "reason": "Retrieve the list of RDS instances and check their backup settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyDBInstanceCommand", + "reason": "Enable automated backups for the RDS instance." + } + ], + "adviseBeforeFixFunction": "Ensure the backup retention policy meets organizational recovery requirements." + }, + { + "name": "RDSClusterIAMAuthenticationEnabled", + "description": "Ensures that IAM authentication is enabled for RDS clusters.", + "priority": 2, + "priorityReason": "IAM authentication simplifies credential management and enhances security.", + "awsService": "RDS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeDBClustersCommand", + "reason": "Retrieve the list of RDS clusters and check their IAM authentication settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyDBClusterCommand", + "reason": "Enable IAM authentication for the RDS cluster." + } + ], + "adviseBeforeFixFunction": "Ensure IAM roles are properly configured to support database authentication." + }, + { + "name": "RDSClusterDeletionProtectionEnabled", + "description": "Ensures that deletion protection is enabled for RDS clusters.", + "priority": 1, + "priorityReason": "Deletion protection prevents accidental deletion of critical RDS clusters.", + "awsService": "RDS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeDBClustersCommand", + "reason": "Retrieve the list of RDS clusters and check their deletion protection settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyDBClusterCommand", + "reason": "Enable deletion protection for the RDS cluster." + } + ], + "adviseBeforeFixFunction": "Ensure deletion protection aligns with operational requirements and does not block intentional deletions." + }, + { + "name": "RDSClusterEncryptedAtRest", + "description": "Ensures that RDS clusters are encrypted at rest.", + "priority": 1, + "priorityReason": "Encryption at rest protects sensitive data stored in RDS clusters.", + "awsService": "RDS", + "awsServiceCategory": "Clusters", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeDBClustersCommand", + "reason": "Retrieve the list of RDS clusters and check their encryption settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateDBClusterCommand", + "reason": "Recreate the RDS cluster with encryption enabled." + } + ], + "adviseBeforeFixFunction": "Ensure data migration is planned before recreating the RDS cluster with encryption." + }, + { + "name": "S3BucketVersioningEnabled", + "description": "Ensures that S3 bucket versioning is enabled.", + "priority": 1, + "priorityReason": "Enabling versioning helps protect against accidental overwrites and deletions.", + "awsService": "S3", + "awsServiceCategory": "Buckets", + "bestPracticeCategory": "Resilience", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetBucketVersioningCommand", + "reason": "Check if versioning is enabled for the S3 bucket." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutBucketVersioningCommand", + "reason": "Enable versioning for the S3 bucket." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling versioning aligns with cost and recovery policies." + }, + { + "name": "S3BucketSSLRequestsOnly", + "description": "Ensures that S3 buckets require SSL for requests.", + "priority": 1, + "priorityReason": "Requiring SSL ensures secure data transmission to and from the bucket.", + "awsService": "S3", + "awsServiceCategory": "Buckets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetBucketPolicyCommand", + "reason": "Retrieve the bucket policy to check for SSL enforcement." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutBucketPolicyCommand", + "reason": "Update or create a bucket policy to enforce SSL requests." + } + ], + "adviseBeforeFixFunction": "Review the impact of enforcing SSL on applications accessing the bucket." + }, + { + "name": "S3BucketLoggingEnabled", + "description": "Ensures that S3 bucket logging is enabled.", + "priority": 2, + "priorityReason": "Bucket logging helps in auditing and monitoring access patterns.", + "awsService": "S3", + "awsServiceCategory": "Buckets", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "targetBucket", + "description": "The target bucket for storing access logs.", + "default": "", + "example": "my-log-bucket" + }, + { + "name": "targetPrefix", + "description": "The prefix for log file names.", + "default": "", + "example": "logs/" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "GetBucketLoggingCommand", + "reason": "Retrieve the bucket logging configuration." + } + ], + "commandUsedInFixFunction": [ + { + "name": "PutBucketLoggingCommand", + "reason": "Enable logging for the S3 bucket." + } + ], + "adviseBeforeFixFunction": "Ensure the target bucket exists and has the necessary permissions for logging." + }, + { + "name": "S3BucketDefaultLockEnabled", + "description": "Ensures that S3 Object Lock is enabled by default on buckets.", + "priority": 1, + "priorityReason": "Object Lock protects objects against deletion or modification for a specified period.", + "awsService": "S3", + "awsServiceCategory": "Buckets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "GetObjectLockConfigurationCommand", + "reason": "Check if the S3 bucket has default Object Lock enabled." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateBucketCommand", + "reason": "Recreate the bucket with Object Lock enabled." + } + ], + "adviseBeforeFixFunction": "Recreating a bucket deletes its existing data. Ensure proper data migration is planned." + }, + { + "name": "S3AccessPointInVPCOnly", + "description": "Ensures that S3 access points are restricted to a VPC.", + "priority": 1, + "priorityReason": "Restricting access points to a VPC enhances security by limiting access to internal networks.", + "awsService": "S3", + "awsServiceCategory": "Access Points", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "vpcId", + "description": "The ID of the VPC to restrict access points to.", + "default": "", + "example": "vpc-12345678" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListAccessPointsCommand", + "reason": "Retrieve the list of S3 access points." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateAccessPointCommand", + "reason": "Restrict the access point to a specified VPC." + } + ], + "adviseBeforeFixFunction": "Ensure the specified VPC is correctly configured for S3 access." + }, + { + "name": "SecretsManagerRotationEnabledCheck", + "description": "Ensures that secret rotation is enabled for AWS Secrets Manager secrets.", + "priority": 1, + "priorityReason": "Enabling rotation reduces the risk of credential compromise by regularly updating them.", + "awsService": "SecretsManager", + "awsServiceCategory": "Secrets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "rotationLambdaARN", + "description": "The ARN of the Lambda function to handle rotation.", + "default": "", + "example": "arn:aws:lambda:us-east-1:123456789012:function:MyRotationLambda" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListSecretsCommand", + "reason": "Retrieve the list of Secrets Manager secrets." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RotateSecretCommand", + "reason": "Enable rotation for the secret." + } + ], + "adviseBeforeFixFunction": "Ensure that the rotation Lambda function is configured correctly to handle secret updates." + }, + { + "name": "SecretsManagerScheduledRotationSuccessCheck", + "description": "Ensures that secrets with rotation enabled have been rotated successfully within the scheduled time.", + "priority": 1, + "priorityReason": "Ensuring timely rotation protects against stale or compromised credentials.", + "awsService": "SecretsManager", + "awsServiceCategory": "Secrets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListSecretsCommand", + "reason": "Retrieve the list of Secrets Manager secrets." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RotateSecretCommand", + "reason": "Force rotation of the secret to update it." + } + ], + "adviseBeforeFixFunction": "Verify that the rotation Lambda function is active and can handle forced rotation." + }, + { + "name": "SecretsManagerSecretPeriodicRotation", + "description": "Ensures that secrets are rotated periodically, at least every 90 days.", + "priority": 2, + "priorityReason": "Periodic rotation helps mitigate risks of long-lived credentials.", + "awsService": "SecretsManager", + "awsServiceCategory": "Secrets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "rotationDays", + "description": "The number of days after which the secret should be rotated.", + "default": "90", + "example": "90" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListSecretsCommand", + "reason": "Retrieve the list of Secrets Manager secrets." + } + ], + "commandUsedInFixFunction": [ + { + "name": "UpdateSecretCommand", + "reason": "Set the rotation schedule for the secret." + } + ], + "adviseBeforeFixFunction": "Ensure rotation rules align with organizational policies and application dependencies." + }, + { + "name": "SecurityHubEnabled", + "description": "Ensures that AWS Security Hub is enabled for the AWS account.", + "priority": 1, + "priorityReason": "Enabling Security Hub is critical for monitoring and managing security across AWS accounts.", + "awsService": "SecurityHub", + "awsServiceCategory": "Security Monitoring", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeHubCommand", + "reason": "Check if Security Hub is enabled in the account." + } + ], + "commandUsedInFixFunction": [ + { + "name": "EnableSecurityHubCommand", + "reason": "Enable Security Hub for the account." + } + ], + "adviseBeforeFixFunction": "Ensure that enabling Security Hub aligns with organizational policies and cost considerations." + }, + { + "name": "SNSEncryptedKMS", + "description": "Ensures that SNS topics are encrypted using KMS keys.", + "priority": 2, + "priorityReason": "Encrypting SNS topics helps protect sensitive data transmitted via notifications.", + "awsService": "SNS", + "awsServiceCategory": "Topics", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [ + { + "name": "kmsKeyId", + "description": "The KMS key ID or ARN to encrypt the SNS topic.", + "default": "", + "example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListTopicsCommand", + "reason": "Retrieve the list of SNS topics." + }, + { + "name": "GetTopicAttributesCommand", + "reason": "Check the encryption settings of each SNS topic." + } + ], + "commandUsedInFixFunction": [ + { + "name": "SetTopicAttributesCommand", + "reason": "Enable encryption for the SNS topic." + } + ], + "adviseBeforeFixFunction": "Ensure the KMS key is configured correctly and accessible by SNS." + }, + { + "name": "SNSTopicMessageDeliveryNotificationEnabled", + "description": "Ensures that SNS topics are configured to send delivery notifications.", + "priority": 3, + "priorityReason": "Enabling delivery notifications ensures visibility into message delivery status.", + "awsService": "SNS", + "awsServiceCategory": "Topics", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "feedbackRoleArn", + "description": "The ARN of the IAM role to enable delivery notifications.", + "default": "", + "example": "arn:aws:iam::123456789012:role/SNSDeliveryRole" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "ListTopicsCommand", + "reason": "Retrieve the list of SNS topics." + }, + { + "name": "GetTopicAttributesCommand", + "reason": "Check if delivery notifications are enabled for each topic." + } + ], + "commandUsedInFixFunction": [ + { + "name": "SetTopicAttributesCommand", + "reason": "Enable delivery notifications for the SNS topic." + } + ], + "adviseBeforeFixFunction": "Ensure the IAM role has the appropriate permissions to manage delivery notifications." + }, + { + "name": "EC2TransitGatewayAutoVPCAttachDisabled", + "description": "Ensures that the auto-attach feature of Transit Gateways is disabled.", + "priority": 1, + "priorityReason": "Disabling auto-attach ensures manual control over VPC attachments, enhancing security and governance.", + "awsService": "EC2", + "awsServiceCategory": "Transit Gateways", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeTransitGatewaysCommand", + "reason": "Retrieve the list of Transit Gateways and check their auto-attach settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifyTransitGatewayCommand", + "reason": "Disable the auto-attach feature for the Transit Gateway." + } + ], + "adviseBeforeFixFunction": "Verify that no active auto-attached VPCs will be impacted by disabling this feature." + }, + { + "name": "RestrictedSSH", + "description": "Ensures that SSH access (port 22) is restricted to trusted sources.", + "priority": 1, + "priorityReason": "Restricting SSH access prevents unauthorized access to resources and strengthens security.", + "awsService": "EC2", + "awsServiceCategory": "Security Groups", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeSecurityGroupRulesCommand", + "reason": "Retrieve security group rules to check for unrestricted SSH access." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RevokeSecurityGroupIngressCommand", + "reason": "Revoke rules allowing unrestricted SSH access." + } + ], + "adviseBeforeFixFunction": "Ensure that legitimate users have alternative access paths before restricting SSH access." + }, + { + "name": "SubnetAutoAssignPublicIPDisabled", + "description": "Ensures that subnets are not configured to automatically assign public IP addresses.", + "priority": 2, + "priorityReason": "Disabling automatic public IP assignment helps prevent unintended exposure of resources to the internet.", + "awsService": "EC2", + "awsServiceCategory": "Subnets", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeSubnetsCommand", + "reason": "Retrieve the list of subnets and check their public IP assignment settings." + } + ], + "commandUsedInFixFunction": [ + { + "name": "ModifySubnetAttributeCommand", + "reason": "Disable automatic public IP assignment for the subnet." + } + ], + "adviseBeforeFixFunction": "Ensure no essential resources require public IPs before disabling this feature." + }, + { + "name": "VPCFlowLogsEnabled", + "description": "Ensures that flow logs are enabled for all VPCs.", + "priority": 1, + "priorityReason": "Enabling flow logs provides visibility into network traffic and helps with troubleshooting and auditing.", + "awsService": "EC2", + "awsServiceCategory": "VPCs", + "bestPracticeCategory": "Monitoring", + "requiredParametersForFix": [ + { + "name": "logGroupName", + "description": "The name of the CloudWatch log group to store flow logs.", + "default": "", + "example": "VPCFlowLogs" + }, + { + "name": "iamRoleArn", + "description": "The ARN of the IAM role with permissions to publish flow logs to CloudWatch.", + "default": "", + "example": "arn:aws:iam::123456789012:role/FlowLogsRole" + } + ], + "isFixFunctionUsesDestructiveCommand": false, + "commandUsedInCheckFunction": [ + { + "name": "DescribeVpcsCommand", + "reason": "Retrieve the list of VPCs and check if flow logs are enabled." + } + ], + "commandUsedInFixFunction": [ + { + "name": "CreateFlowLogsCommand", + "reason": "Enable flow logs for the VPC." + } + ], + "adviseBeforeFixFunction": "Ensure CloudWatch and IAM role configurations are prepared to handle the new logs." + }, + { + "name": "VPCDefaultSecurityGroupClosed", + "description": "Ensures that default security groups have no inbound or outbound rules.", + "priority": 1, + "priorityReason": "Closing default security groups prevents unintended access and strengthens security.", + "awsService": "EC2", + "awsServiceCategory": "Security Groups", + "bestPracticeCategory": "Security", + "requiredParametersForFix": [], + "isFixFunctionUsesDestructiveCommand": true, + "commandUsedInCheckFunction": [ + { + "name": "DescribeSecurityGroupsCommand", + "reason": "Retrieve default security groups and check their rules." + } + ], + "commandUsedInFixFunction": [ + { + "name": "RevokeSecurityGroupIngressCommand", + "reason": "Remove all inbound rules from the default security group." + }, + { + "name": "RevokeSecurityGroupEgressCommand", + "reason": "Remove all outbound rules from the default security group." + } + ], + "adviseBeforeFixFunction": "Ensure no critical dependencies are relying on the default security group rules." + } +] diff --git a/src/bpsets/ec2/EC2InstanceProfileAttached,ts b/src/bpsets/ec2/EC2InstanceProfileAttached.ts similarity index 100% rename from src/bpsets/ec2/EC2InstanceProfileAttached,ts rename to src/bpsets/ec2/EC2InstanceProfileAttached.ts