[ { "name": "ALBHttpDropInvalidHeaderEnabled", "description": "Ensures that the ALB is configured to drop invalid HTTP headers.", "priority": 1, "priorityReason": "Invalid headers can introduce security vulnerabilities.", "awsService": "Elastic Load Balancing", "awsServiceCategory": "Application Load Balancer", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeLoadBalancerAttributes", "reason": "Retrieve ALB attributes to check for the invalid header configuration." } ], "commandUsedInFixFunction": [ { "name": "ModifyLoadBalancerAttributes", "reason": "Enable the drop invalid headers feature for the ALB." } ], "adviseBeforeFixFunction": "Ensure that enabling this attribute does not break any custom client behavior." }, { "name": "APIGatewayV2AccessLogsEnabled", "description": "Ensures that access logs are enabled for API Gateway V2 HTTP APIs.", "priority": 2, "priorityReason": "Access logs help in monitoring and debugging API traffic issues.", "awsService": "APIGateway", "awsServiceCategory": "HTTP API", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "logGroupArn", "description": "The ARN of the CloudWatch Log Group to store access logs.", "default": "", "example": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/http-api/logs:*" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetStagesCommand", "reason": "Retrieve stage information for HTTP APIs to check for access log configuration." } ], "commandUsedInFixFunction": [ { "name": "UpdateStageCommand", "reason": "Enable access logs and configure the CloudWatch Log Group for the stage." } ], "adviseBeforeFixFunction": "Ensure the specified CloudWatch Log Group exists and has proper permissions." }, { "name": "APIGatewayV2AuthorizationTypeConfigured", "description": "Verifies that all routes in API Gateway V2 HTTP APIs have authorization configured.", "priority": 1, "priorityReason": "Authorization protects APIs from unauthorized access.", "awsService": "APIGateway", "awsServiceCategory": "HTTP API", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "authorizationType", "description": "The type of authorization to apply to the API route.", "default": "AWS_IAM", "example": "JWT" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetRoutesCommand", "reason": "Retrieve route information to check for authorization configuration." } ], "commandUsedInFixFunction": [ { "name": "UpdateRouteCommand", "reason": "Update route configuration to include the specified authorization type." } ], "adviseBeforeFixFunction": "Ensure that the chosen authorization method is correctly set up and configured." }, { "name": "APIGatewayAssociatedWithWAF", "description": "Ensures that the API Gateway stages are associated with a WAF WebACL.", "priority": 1, "priorityReason": "WAF provides protection against common web exploits.", "awsService": "APIGateway", "awsServiceCategory": "REST API", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "webAclArn", "description": "The ARN of the WAF WebACL to associate with the API Gateway stage.", "default": "", "example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetStageCommand", "reason": "Retrieve stage information to check if it is associated with a WAF WebACL." } ], "commandUsedInFixFunction": [ { "name": "AssociateWebACLCommand", "reason": "Associate the specified WAF WebACL with the API Gateway stage." } ], "adviseBeforeFixFunction": "Ensure the WAF WebACL is properly configured before associating it with the API Gateway stage." }, { "name": "APIGatewayExecutionLoggingEnabled", "description": "Ensures that execution logging is enabled for API Gateway stages.", "priority": 2, "priorityReason": "Execution logs help in debugging and monitoring API requests.", "awsService": "APIGateway", "awsServiceCategory": "REST API", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetStageCommand", "reason": "Retrieve stage information to check execution logging configuration." } ], "commandUsedInFixFunction": [ { "name": "UpdateStageCommand", "reason": "Enable execution logging for the API Gateway stage." } ], "adviseBeforeFixFunction": "Ensure CloudWatch Logs are set up correctly to receive execution logs." }, { "name": "AutoScalingGroupELBHealthCheckRequired", "description": "Ensures that Auto Scaling Groups with load balancers or target groups use ELB health checks.", "priority": 1, "priorityReason": "ELB health checks ensure that unhealthy instances are replaced automatically.", "awsService": "AutoScaling", "awsServiceCategory": "Auto Scaling Group", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeAutoScalingGroupsCommand", "reason": "Retrieve Auto Scaling Group configurations to check health check settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateAutoScalingGroupCommand", "reason": "Update the health check type of the Auto Scaling Group to ELB." } ], "adviseBeforeFixFunction": "Ensure that the ELB or target group is correctly configured to provide health checks." }, { "name": "AutoScalingMultipleAZ", "description": "Ensures that Auto Scaling Groups are configured to run in multiple Availability Zones.", "priority": 2, "priorityReason": "Multiple AZs improve availability and fault tolerance of the application.", "awsService": "AutoScaling", "awsServiceCategory": "Auto Scaling Group", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [ { "name": "availabilityZones", "description": "List of Availability Zones to add to the Auto Scaling Group.", "default": "", "example": "['us-east-1a', 'us-east-1b']" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeAutoScalingGroupsCommand", "reason": "Retrieve Auto Scaling Group configurations to check the number of Availability Zones." } ], "commandUsedInFixFunction": [ { "name": "UpdateAutoScalingGroupCommand", "reason": "Add multiple Availability Zones to the Auto Scaling Group." } ], "adviseBeforeFixFunction": "Ensure that the additional Availability Zones have the necessary capacity and resources." }, { "name": "AutoScalingLaunchTemplate", "description": "Ensures that Auto Scaling Groups use launch templates instead of launch configurations.", "priority": 3, "priorityReason": "Launch templates provide better flexibility and are recommended over launch configurations.", "awsService": "AutoScaling", "awsServiceCategory": "Auto Scaling Group", "bestPracticeCategory": "Configuration", "requiredParametersForFix": [ { "name": "launchTemplateId", "description": "The ID of the launch template to associate with the Auto Scaling Group.", "default": "", "example": "lt-0123456789abcdef0" }, { "name": "launchTemplateVersion", "description": "The version of the launch template to use.", "default": "$Latest", "example": "$Latest" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeAutoScalingGroupsCommand", "reason": "Retrieve Auto Scaling Group configurations to check for launch configuration usage." } ], "commandUsedInFixFunction": [ { "name": "UpdateAutoScalingGroupCommand", "reason": "Switch the Auto Scaling Group to use a launch template." } ], "adviseBeforeFixFunction": "Ensure the launch template is properly configured before associating it with the Auto Scaling Group." }, { "name": "CloudFrontAccessLogsEnabled", "description": "Ensures that access logging is enabled for CloudFront distributions.", "priority": 2, "priorityReason": "Access logs help monitor and analyze distribution traffic.", "awsService": "CloudFront", "awsServiceCategory": "Content Delivery Network", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "s3BucketName", "description": "The name of the S3 bucket to store access logs.", "default": "", "example": "my-cloudfront-logs-bucket" }, { "name": "s3BucketPrefix", "description": "The prefix for the access logs in the S3 bucket.", "default": "", "example": "CloudFront/logs/" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetDistributionCommand", "reason": "Retrieve the configuration of CloudFront distributions to check logging status." } ], "commandUsedInFixFunction": [ { "name": "UpdateDistributionCommand", "reason": "Enable access logging and configure the S3 bucket for the CloudFront distribution." } ], "adviseBeforeFixFunction": "Ensure the S3 bucket exists and has the necessary permissions to receive access logs." }, { "name": "CloudFrontAssociatedWithWAF", "description": "Ensures that CloudFront distributions are associated with a WAF WebACL.", "priority": 1, "priorityReason": "WAF protects the distribution from known vulnerabilities and attacks.", "awsService": "CloudFront", "awsServiceCategory": "Content Delivery Network", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "webAclArn", "description": "The ARN of the WAF WebACL to associate with the CloudFront distribution.", "default": "", "example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/ExampleWebACL/12345678-1234-5678-abcd-1234567890ab" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetDistributionCommand", "reason": "Retrieve the configuration of CloudFront distributions to check for WAF WebACL association." } ], "commandUsedInFixFunction": [ { "name": "AssociateWebACLCommand", "reason": "Associate a WAF WebACL with the CloudFront distribution." } ], "adviseBeforeFixFunction": "Ensure the WAF WebACL is properly configured before associating it." }, { "name": "CloudFrontDefaultRootObjectConfigured", "description": "Ensures that a default root object is configured for CloudFront distributions.", "priority": 3, "priorityReason": "A default root object improves user experience by serving content for root domain requests.", "awsService": "CloudFront", "awsServiceCategory": "Content Delivery Network", "bestPracticeCategory": "Configuration", "requiredParametersForFix": [ { "name": "defaultRootObject", "description": "The default root object to configure for the CloudFront distribution.", "default": "index.html", "example": "index.html" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetDistributionCommand", "reason": "Retrieve the configuration of CloudFront distributions to check for a default root object." } ], "commandUsedInFixFunction": [ { "name": "UpdateDistributionCommand", "reason": "Set a default root object for the CloudFront distribution." } ], "adviseBeforeFixFunction": "Ensure the specified root object exists in the origin bucket or server." }, { "name": "CloudFrontNoDeprecatedSSLProtocols", "description": "Ensures that deprecated SSL protocols like SSLv3 are not enabled for CloudFront distributions.", "priority": 1, "priorityReason": "Deprecated SSL protocols pose security risks and should be disabled.", "awsService": "CloudFront", "awsServiceCategory": "Content Delivery Network", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetDistributionCommand", "reason": "Retrieve the configuration of CloudFront distributions to check SSL protocols." } ], "commandUsedInFixFunction": [ { "name": "UpdateDistributionCommand", "reason": "Update the SSL protocol settings to disable deprecated protocols." } ], "adviseBeforeFixFunction": "Ensure the change aligns with your application's SSL requirements." }, { "name": "CloudFrontViewerPolicyHTTPS", "description": "Ensures that viewer protocol policies enforce HTTPS for all CloudFront distributions.", "priority": 1, "priorityReason": "Enforcing HTTPS ensures secure communication between the client and the distribution.", "awsService": "CloudFront", "awsServiceCategory": "Content Delivery Network", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetDistributionCommand", "reason": "Retrieve the configuration of CloudFront distributions to check viewer protocol policies." } ], "commandUsedInFixFunction": [ { "name": "UpdateDistributionCommand", "reason": "Update viewer protocol policies to enforce HTTPS for all behaviors." } ], "adviseBeforeFixFunction": "Ensure all origins are configured to accept HTTPS traffic." }, { "name": "CloudWatchAlarmSettingsCheck", "description": "Ensures that CloudWatch alarms are configured with the required settings.", "priority": 3, "priorityReason": "Properly configured alarms ensure timely monitoring and response to system events.", "awsService": "CloudWatch", "awsServiceCategory": "Alarms", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "alarmParameters", "description": "The required parameters to configure the alarm properly.", "default": "{}", "example": "{\"MetricName\": \"CPUUtilization\", \"Threshold\": 80, \"ComparisonOperator\": \"GreaterThanOrEqualToThreshold\"}" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeAlarmsCommand", "reason": "Retrieve CloudWatch alarm configurations to check for required parameters." } ], "commandUsedInFixFunction": [ { "name": "PutMetricAlarmCommand", "reason": "Update the alarm settings to match the required configuration." } ], "adviseBeforeFixFunction": "Ensure the specified metric and parameters align with the monitoring objectives." }, { "name": "CodeBuildProjectEnvironmentPrivilegedCheck", "description": "Ensures that CodeBuild projects do not have privileged mode enabled in their environment.", "priority": 1, "priorityReason": "Privileged mode can pose a security risk by allowing unrestricted access to resources.", "awsService": "CodeBuild", "awsServiceCategory": "Build Projects", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "BatchGetProjectsCommand", "reason": "Retrieve CodeBuild project configurations to check for privileged mode." } ], "commandUsedInFixFunction": [ { "name": "UpdateProjectCommand", "reason": "Disable privileged mode for the CodeBuild project." } ], "adviseBeforeFixFunction": "Ensure that privileged mode is not required for specific build operations." }, { "name": "CodeBuildProjectLoggingEnabled", "description": "Ensures that CodeBuild projects have logging enabled to CloudWatch or S3.", "priority": 2, "priorityReason": "Logs help monitor and debug the build process.", "awsService": "CodeBuild", "awsServiceCategory": "Build Projects", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "logGroupArn", "description": "The ARN of the CloudWatch Log Group to store build logs.", "default": "", "example": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/logs:*" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "BatchGetProjectsCommand", "reason": "Retrieve CodeBuild project configurations to check for logging settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateProjectCommand", "reason": "Enable logging for the CodeBuild project." } ], "adviseBeforeFixFunction": "Ensure the specified CloudWatch Log Group exists and has necessary permissions." }, { "name": "CodeDeployAutoRollbackMonitorEnabled", "description": "Ensures that CodeDeploy deployment groups have monitoring alarms and auto-rollback enabled.", "priority": 1, "priorityReason": "Monitoring alarms and auto-rollback reduce the risk of failed deployments impacting production.", "awsService": "CodeDeploy", "awsServiceCategory": "Deployment Groups", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [ { "name": "alarmConfiguration", "description": "Configuration for CloudWatch alarms to monitor during deployments.", "default": "{}", "example": "{\"enabled\": true, \"alarms\": [{\"name\": \"HighErrorRate\"}]}" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListDeploymentGroupsCommand", "reason": "Retrieve deployment groups to check for alarm and rollback configuration." }, { "name": "BatchGetDeploymentGroupsCommand", "reason": "Fetch detailed configuration of the deployment groups." } ], "commandUsedInFixFunction": [ { "name": "UpdateDeploymentGroupCommand", "reason": "Enable monitoring alarms and auto-rollback for the deployment group." } ], "adviseBeforeFixFunction": "Ensure the monitoring alarms are set up and configured properly." }, { "name": "DynamoDBAutoscalingEnabled", "description": "Ensures that DynamoDB tables have autoscaling enabled for read and write capacity.", "priority": 1, "priorityReason": "Autoscaling ensures the table can handle varying workloads without manual intervention.", "awsService": "DynamoDB", "awsServiceCategory": "NoSQL Database", "bestPracticeCategory": "Performance", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTableCommand", "reason": "Retrieve table information to check billing mode and autoscaling policies." }, { "name": "DescribeScalingPoliciesCommand", "reason": "Check for existing autoscaling policies for the table." } ], "commandUsedInFixFunction": [ { "name": "PutScalingPolicyCommand", "reason": "Create or update autoscaling policies for the table." } ], "adviseBeforeFixFunction": "Ensure the workload patterns are well understood to configure autoscaling appropriately." }, { "name": "DynamoDBLastBackupRecoveryPointCreated", "description": "Ensures that DynamoDB tables have a recent backup or recovery point created within the last 24 hours.", "priority": 1, "priorityReason": "Frequent backups ensure data recovery in case of accidental deletion or corruption.", "awsService": "DynamoDB", "awsServiceCategory": "NoSQL Database", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListBackupsCommand", "reason": "Retrieve the list of backups for the table to check for recent recovery points." } ], "commandUsedInFixFunction": [ { "name": "CreateBackupCommand", "reason": "Create a new backup for the DynamoDB table." } ], "adviseBeforeFixFunction": "Ensure that backup policies are aligned with organizational data retention requirements." }, { "name": "DynamoDBPITREnabled", "description": "Ensures that Point-In-Time Recovery (PITR) is enabled for DynamoDB tables.", "priority": 2, "priorityReason": "PITR allows recovery to any point in the last 35 days, enhancing resilience against accidental data loss.", "awsService": "DynamoDB", "awsServiceCategory": "NoSQL Database", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeContinuousBackupsCommand", "reason": "Retrieve table information to check if PITR is enabled." } ], "commandUsedInFixFunction": [ { "name": "UpdateContinuousBackupsCommand", "reason": "Enable Point-In-Time Recovery for the table." } ], "adviseBeforeFixFunction": "Ensure PITR is enabled only on tables requiring this feature to manage costs." }, { "name": "DynamoDBTableDeletionProtectionEnabled", "description": "Ensures that deletion protection is enabled for DynamoDB tables.", "priority": 1, "priorityReason": "Deletion protection prevents accidental deletion of critical tables.", "awsService": "DynamoDB", "awsServiceCategory": "NoSQL Database", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTableCommand", "reason": "Retrieve table information to check deletion protection settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateTableCommand", "reason": "Enable deletion protection for the table." } ], "adviseBeforeFixFunction": "Ensure deletion protection aligns with the operational requirements of the application." }, { "name": "DynamoDBTableEncryptedKMS", "description": "Ensures that DynamoDB tables are encrypted using KMS keys.", "priority": 1, "priorityReason": "KMS encryption protects sensitive data stored in DynamoDB tables.", "awsService": "DynamoDB", "awsServiceCategory": "NoSQL Database", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "kmsKeyId", "description": "The ID of the KMS key to use for encrypting the table.", "default": "", "example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTableCommand", "reason": "Retrieve table information to check encryption settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateTableCommand", "reason": "Enable encryption using the specified KMS key." } ], "adviseBeforeFixFunction": "Ensure the specified KMS key is accessible and properly configured." }, { "name": "EC2InstanceProfileAttached", "description": "Ensures that all EC2 instances have an IAM instance profile attached.", "priority": 2, "priorityReason": "IAM instance profiles enable secure access to AWS services from EC2 instances.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "instanceProfileName", "description": "The name of the IAM instance profile to attach.", "default": "", "example": "EC2InstanceProfile" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeInstancesCommand", "reason": "Check if IAM instance profiles are attached to EC2 instances." } ], "commandUsedInFixFunction": [ { "name": "AssociateIamInstanceProfileCommand", "reason": "Attach an IAM instance profile to the EC2 instance." } ], "adviseBeforeFixFunction": "Ensure the IAM instance profile has the required policies attached." }, { "name": "EC2StoppedInstance", "description": "Ensures that unused stopped EC2 instances are terminated.", "priority": 1, "priorityReason": "Terminating stopped instances reduces costs and frees up resources.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Cost Management", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeInstancesCommand", "reason": "Identify stopped EC2 instances." } ], "commandUsedInFixFunction": [ { "name": "TerminateInstancesCommand", "reason": "Terminate unused stopped EC2 instances." } ], "adviseBeforeFixFunction": "Ensure that the stopped instances are no longer needed before terminating them." }, { "name": "ECRPrivateImageScanningEnabled", "description": "Ensures that image scanning on push is enabled for ECR repositories.", "priority": 1, "priorityReason": "Enabling image scanning on push helps identify vulnerabilities in container images.", "awsService": "ECR", "awsServiceCategory": "Container Registry", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeRepositoriesCommand", "reason": "Retrieve repository configurations to check if image scanning on push is enabled." } ], "commandUsedInFixFunction": [ { "name": "PutImageScanningConfigurationCommand", "reason": "Enable image scanning on push for the repository." } ], "adviseBeforeFixFunction": "Ensure the repository content complies with scanning requirements." }, { "name": "ECRPrivateLifecyclePolicyConfigured", "description": "Ensures that lifecycle policies are configured for ECR repositories.", "priority": 2, "priorityReason": "Lifecycle policies help manage repository storage by automatically removing unneeded images.", "awsService": "ECR", "awsServiceCategory": "Container Registry", "bestPracticeCategory": "Cost Management", "requiredParametersForFix": [ { "name": "lifecyclePolicyText", "description": "The JSON-formatted lifecycle policy text.", "default": "", "example": "{\"rules\": [{\"rulePriority\": 1, \"description\": \"Keep only recent images\", \"selection\": {\"tagStatus\": \"untagged\", \"countType\": \"imageCountMoreThan\", \"countNumber\": 10, \"tagPrefixList\": []}, \"action\": {\"type\": \"expire\"}}]}" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetLifecyclePolicyCommand", "reason": "Check if a lifecycle policy is configured for the repository." } ], "commandUsedInFixFunction": [ { "name": "PutLifecyclePolicyCommand", "reason": "Configure a lifecycle policy for the repository." } ], "adviseBeforeFixFunction": "Ensure the lifecycle policy aligns with retention requirements." }, { "name": "ECRPrivateTagImmutabilityEnabled", "description": "Ensures that tag immutability is enabled for ECR repositories.", "priority": 2, "priorityReason": "Tag immutability prevents overwriting tags, ensuring image stability and integrity.", "awsService": "ECR", "awsServiceCategory": "Container Registry", "bestPracticeCategory": "Configuration", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeRepositoriesCommand", "reason": "Retrieve repository configurations to check if tag immutability is enabled." } ], "commandUsedInFixFunction": [ { "name": "PutImageTagMutabilityCommand", "reason": "Enable tag immutability for the repository." } ], "adviseBeforeFixFunction": "Ensure that enabling tag immutability does not disrupt existing workflows." }, { "name": "ECSContainersNonPrivileged", "description": "Ensures that ECS containers do not run in privileged mode.", "priority": 1, "priorityReason": "Privileged mode can give containers elevated access to the host system, posing a security risk.", "awsService": "ECS", "awsServiceCategory": "Task Definitions", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTaskDefinitionCommand", "reason": "Retrieve task definition details to check container privilege settings." } ], "commandUsedInFixFunction": [ { "name": "RegisterTaskDefinitionCommand", "reason": "Update the task definition to disable privileged mode." } ], "adviseBeforeFixFunction": "Ensure the containers do not require privileged mode for their operations." }, { "name": "ECSContainerInsightsEnabled", "description": "Ensures that ECS clusters have Container Insights enabled.", "priority": 2, "priorityReason": "Container Insights provides detailed monitoring metrics and logs for ECS clusters and services.", "awsService": "ECS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeClustersCommand", "reason": "Retrieve ECS cluster configurations to check for Container Insights settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateClusterSettingsCommand", "reason": "Enable Container Insights for the ECS cluster." } ], "adviseBeforeFixFunction": "Ensure CloudWatch is configured to receive metrics and logs from Container Insights." }, { "name": "ECSTaskDefinitionLogConfiguration", "description": "Ensures that ECS task definitions include a log configuration.", "priority": 1, "priorityReason": "Log configuration ensures that container logs are sent to a centralized logging service such as CloudWatch.", "awsService": "ECS", "awsServiceCategory": "Task Definitions", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "logDriver", "description": "The log driver to use for the task definition.", "default": "awslogs", "example": "awslogs" }, { "name": "logOptions", "description": "The options for the log driver, such as log group name and region.", "default": "{}", "example": "{\"awslogs-group\": \"/ecs/example\", \"awslogs-region\": \"us-east-1\"}" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTaskDefinitionCommand", "reason": "Retrieve task definition details to check for log configuration." } ], "commandUsedInFixFunction": [ { "name": "RegisterTaskDefinitionCommand", "reason": "Update the task definition to include a log configuration." } ], "adviseBeforeFixFunction": "Ensure the log group exists and is configured to receive logs." }, { "name": "ECSTaskDefinitionMemoryHardLimit", "description": "Ensures that ECS containers specify a memory hard limit in the task definition.", "priority": 1, "priorityReason": "Specifying a memory hard limit prevents containers from consuming excessive memory, protecting other processes.", "awsService": "ECS", "awsServiceCategory": "Task Definitions", "bestPracticeCategory": "Performance", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTaskDefinitionCommand", "reason": "Retrieve task definition details to check memory limit settings." } ], "commandUsedInFixFunction": [ { "name": "RegisterTaskDefinitionCommand", "reason": "Update the task definition to specify a memory hard limit." } ], "adviseBeforeFixFunction": "Ensure containers are tested with the specified memory limits." }, { "name": "ECSTaskDefinitionNonRootUser", "description": "Ensures that ECS containers run as a non-root user.", "priority": 1, "priorityReason": "Running containers as a non-root user reduces the risk of privilege escalation attacks.", "awsService": "ECS", "awsServiceCategory": "Task Definitions", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "user", "description": "The user to run the container as.", "default": "", "example": "appuser" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTaskDefinitionCommand", "reason": "Retrieve task definition details to check the container user settings." } ], "commandUsedInFixFunction": [ { "name": "RegisterTaskDefinitionCommand", "reason": "Update the task definition to run the container as a non-root user." } ], "adviseBeforeFixFunction": "Ensure the application can run with non-root permissions." }, { "name": "EFSAccessPointEnforceRootDirectory", "description": "Ensures that EFS access points enforce a non-root directory for enhanced security.", "priority": 2, "priorityReason": "Restricting access to specific directories reduces the risk of data exposure.", "awsService": "EFS", "awsServiceCategory": "Access Points", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "path", "description": "The path to enforce as the root directory for the access point.", "default": "/data", "example": "/data" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeAccessPointsCommand", "reason": "Retrieve information about EFS access points to check their root directory configuration." } ], "commandUsedInFixFunction": [ { "name": "CreateAccessPointCommand", "reason": "Reconfigure the access point to enforce a specific root directory." } ], "adviseBeforeFixFunction": "Ensure that the directory path is properly configured and exists in the file system." }, { "name": "EFSAccessPointEnforceUserIdentity", "description": "Ensures that EFS access points enforce a user identity for operations.", "priority": 2, "priorityReason": "Enforcing a user identity ensures accountability and proper access control.", "awsService": "EFS", "awsServiceCategory": "Access Points", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "posixUser", "description": "The POSIX user configuration to enforce on the access point.", "default": "{}", "example": "{\"Uid\": 1001, \"Gid\": 1001, \"SecondaryGids\": [1002]}" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeAccessPointsCommand", "reason": "Retrieve access point details to check POSIX user settings." } ], "commandUsedInFixFunction": [ { "name": "CreateAccessPointCommand", "reason": "Reconfigure the access point to enforce a user identity." } ], "adviseBeforeFixFunction": "Ensure the specified POSIX user is valid and properly configured in the file system." }, { "name": "EFSAutomaticBackupsEnabled", "description": "Ensures that automatic backups are enabled for EFS file systems.", "priority": 1, "priorityReason": "Automatic backups ensure data recovery in case of accidental deletion or corruption.", "awsService": "EFS", "awsServiceCategory": "File Systems", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeBackupPolicyCommand", "reason": "Check the backup policy for EFS file systems." } ], "commandUsedInFixFunction": [ { "name": "PutBackupPolicyCommand", "reason": "Enable automatic backups for the file system." } ], "adviseBeforeFixFunction": "Verify backup retention policies align with organizational requirements." }, { "name": "EFSEncryptedCheck", "description": "Ensures that EFS file systems are encrypted at rest.", "priority": 1, "priorityReason": "Encryption at rest protects sensitive data stored in EFS file systems.", "awsService": "EFS", "awsServiceCategory": "File Systems", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeFileSystemsCommand", "reason": "Check if the file systems are encrypted." } ], "commandUsedInFixFunction": [ { "name": "CreateFileSystemCommand", "reason": "Recreate the file system with encryption enabled." } ], "adviseBeforeFixFunction": "Ensure data migration is planned before recreating the file system with encryption." }, { "name": "EFSMountTargetPublicAccessible", "description": "Ensures that EFS mount targets are not publicly accessible.", "priority": 1, "priorityReason": "Restricting public access prevents unauthorized access to file systems.", "awsService": "EFS", "awsServiceCategory": "Mount Targets", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeMountTargetsCommand", "reason": "Retrieve information about mount targets to check public accessibility." }, { "name": "DescribeRouteTablesCommand", "reason": "Check if mount targets are associated with routes exposing them publicly." } ], "commandUsedInFixFunction": [ { "name": "ModifyMountTargetSecurityGroupsCommand", "reason": "Restrict access to the mount target by updating security groups." } ], "adviseBeforeFixFunction": "Ensure the security group rules align with organizational access policies." }, { "name": "EKSClusterLoggingEnabled", "description": "Ensures that EKS clusters have all logging types enabled.", "priority": 2, "priorityReason": "Enabling cluster logging ensures better monitoring, troubleshooting, and compliance.", "awsService": "EKS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeClusterCommand", "reason": "Retrieve cluster details to check logging configurations." } ], "commandUsedInFixFunction": [ { "name": "UpdateClusterConfigCommand", "reason": "Enable all available logging types for the EKS cluster." } ], "adviseBeforeFixFunction": "Ensure enabling logging will not impact current cluster performance or cost significantly." }, { "name": "EKSClusterSecretsEncrypted", "description": "Ensures that EKS clusters use KMS encryption for secrets.", "priority": 1, "priorityReason": "Encrypting secrets enhances security and meets compliance requirements.", "awsService": "EKS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "kmsKeyArn", "description": "The ARN of the KMS key to use for secrets encryption.", "default": "", "example": "arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeClusterCommand", "reason": "Check if the cluster has encryption enabled for secrets." } ], "commandUsedInFixFunction": [ { "name": "AssociateEncryptionConfigCommand", "reason": "Add encryption configuration to the EKS cluster." } ], "adviseBeforeFixFunction": "Ensure the specified KMS key is available and properly configured for the cluster." }, { "name": "EKSEndpointNoPublicAccess", "description": "Ensures that EKS cluster endpoints are not publicly accessible.", "priority": 1, "priorityReason": "Restricting public access prevents unauthorized access to the cluster.", "awsService": "EKS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeClusterCommand", "reason": "Retrieve cluster endpoint configuration to check public access settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateClusterConfigCommand", "reason": "Disable public access for the cluster endpoint." } ], "adviseBeforeFixFunction": "Ensure private access is properly configured before disabling public access." }, { "name": "ElastiCacheAutoMinorVersionUpgradeCheck", "description": "Ensures that Auto Minor Version Upgrade is enabled for ElastiCache clusters.", "priority": 2, "priorityReason": "Keeping clusters updated with minor versions ensures they receive the latest security patches and bug fixes.", "awsService": "ElastiCache", "awsServiceCategory": "Cache Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeCacheClustersCommand", "reason": "Retrieve cluster configurations to check Auto Minor Version Upgrade settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyCacheClusterCommand", "reason": "Enable Auto Minor Version Upgrade for the cluster." } ], "adviseBeforeFixFunction": "Ensure enabling minor version upgrades aligns with application compatibility." }, { "name": "ElastiCacheRedisClusterAutomaticBackupCheck", "description": "Ensures that automatic backups are enabled for ElastiCache Redis clusters.", "priority": 1, "priorityReason": "Automatic backups are crucial for data recovery in case of accidental deletion or corruption.", "awsService": "ElastiCache", "awsServiceCategory": "Redis", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [ { "name": "snapshotRetentionLimit", "description": "The number of days to retain backups.", "default": "7", "example": "7" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeReplicationGroupsCommand", "reason": "Check if automatic backups are enabled for replication groups." } ], "commandUsedInFixFunction": [ { "name": "ModifyReplicationGroupCommand", "reason": "Enable automatic backups for the Redis replication group." } ], "adviseBeforeFixFunction": "Verify the snapshot retention policy aligns with organizational recovery requirements." }, { "name": "ElastiCacheSubnetGroupCheck", "description": "Ensures that ElastiCache clusters are not using the default subnet group.", "priority": 2, "priorityReason": "Using a custom subnet group ensures better control over network configurations.", "awsService": "ElastiCache", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Configuration", "requiredParametersForFix": [ { "name": "subnetGroupName", "description": "The name of the custom subnet group to use.", "default": "", "example": "custom-subnet-group" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeCacheClustersCommand", "reason": "Retrieve cluster configurations to check subnet group settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyCacheClusterCommand", "reason": "Update the cluster to use a custom subnet group." } ], "adviseBeforeFixFunction": "Ensure the custom subnet group is properly configured and meets network requirements." }, { "name": "IAMPolicyNoStatementsWithAdminAccess", "description": "Ensures that IAM policies do not contain statements granting full administrative access.", "priority": 1, "priorityReason": "Granting full administrative access violates the principle of least privilege and poses a security risk.", "awsService": "IAM", "awsServiceCategory": "Policies", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListPoliciesCommand", "reason": "Retrieve the list of local IAM policies." }, { "name": "GetPolicyVersionCommand", "reason": "Retrieve the default version of IAM policies to analyze their statements." } ], "commandUsedInFixFunction": [ { "name": "CreatePolicyVersionCommand", "reason": "Create a new policy version with restricted permissions." }, { "name": "SetDefaultPolicyVersionCommand", "reason": "Set the new policy version as the default." } ], "adviseBeforeFixFunction": "Review the policy requirements to ensure removing administrative access will not disrupt operations." }, { "name": "IAMPolicyNoStatementsWithFullAccess", "description": "Ensures that IAM policies do not contain statements granting full access to specific services.", "priority": 1, "priorityReason": "Granting full access to specific services can lead to unintentional misuse or privilege escalation.", "awsService": "IAM", "awsServiceCategory": "Policies", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListPoliciesCommand", "reason": "Retrieve the list of local IAM policies." }, { "name": "GetPolicyVersionCommand", "reason": "Retrieve the default version of IAM policies to analyze their statements." } ], "commandUsedInFixFunction": [ { "name": "CreatePolicyVersionCommand", "reason": "Create a new policy version with restricted permissions." }, { "name": "SetDefaultPolicyVersionCommand", "reason": "Set the new policy version as the default." } ], "adviseBeforeFixFunction": "Review the policy requirements to ensure removing full access permissions will not disrupt operations." }, { "name": "IAMRoleManagedPolicyCheck", "description": "Ensures that managed policies are attached to IAM roles, groups, or users.", "priority": 2, "priorityReason": "Attaching managed policies ensures consistent permissions and simplifies policy management.", "awsService": "IAM", "awsServiceCategory": "Roles", "bestPracticeCategory": "Configuration", "requiredParametersForFix": [ { "name": "roleName", "description": "The name of the IAM role to attach the managed policy to.", "default": "", "example": "MyRole" }, { "name": "policyArn", "description": "The ARN of the managed policy to attach.", "default": "", "example": "arn:aws:iam::aws:policy/ReadOnlyAccess" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListPoliciesCommand", "reason": "Retrieve the list of managed IAM policies." }, { "name": "ListEntitiesForPolicyCommand", "reason": "Check which entities are attached to each managed policy." } ], "commandUsedInFixFunction": [ { "name": "AttachRolePolicyCommand", "reason": "Attach a managed policy to an IAM role." } ], "adviseBeforeFixFunction": "Ensure the managed policy aligns with the role's intended permissions." }, { "name": "LambdaDLQCheck", "description": "Ensures that AWS Lambda functions have a Dead Letter Queue (DLQ) configured.", "priority": 2, "priorityReason": "Configuring a DLQ ensures that failed Lambda invocations are captured for troubleshooting and analysis.", "awsService": "Lambda", "awsServiceCategory": "Functions", "bestPracticeCategory": "Reliability", "requiredParametersForFix": [ { "name": "dlqArn", "description": "The ARN of the Dead Letter Queue to configure.", "default": "", "example": "arn:aws:sqs:us-east-1:123456789012:MyDLQ" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListFunctionsCommand", "reason": "Retrieve the list of Lambda functions to check for DLQ configurations." } ], "commandUsedInFixFunction": [ { "name": "UpdateFunctionConfigurationCommand", "reason": "Configure a Dead Letter Queue for the Lambda function." } ], "adviseBeforeFixFunction": "Ensure the DLQ exists and has the appropriate permissions to receive failed messages." }, { "name": "LambdaFunctionPublicAccessProhibited", "description": "Ensures that AWS Lambda functions are not publicly accessible.", "priority": 1, "priorityReason": "Publicly accessible Lambda functions can lead to security vulnerabilities and unauthorized usage.", "awsService": "Lambda", "awsServiceCategory": "Functions", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetPolicyCommand", "reason": "Retrieve the Lambda function's resource-based policy to check for public access." } ], "commandUsedInFixFunction": [ { "name": "RemovePermissionCommand", "reason": "Remove any permissions that grant public access to the Lambda function." } ], "adviseBeforeFixFunction": "Verify that removing public access will not disrupt intended functionality." }, { "name": "LambdaFunctionSettingsCheck", "description": "Ensures that AWS Lambda functions do not use default settings for timeout and memory.", "priority": 2, "priorityReason": "Customizing timeout and memory settings optimizes function performance and cost.", "awsService": "Lambda", "awsServiceCategory": "Functions", "bestPracticeCategory": "Performance", "requiredParametersForFix": [ { "name": "timeout", "description": "The timeout duration (in seconds) for the Lambda function.", "default": "15", "example": "15" }, { "name": "memorySize", "description": "The memory size (in MB) allocated to the Lambda function.", "default": "256", "example": "256" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListFunctionsCommand", "reason": "Retrieve the list of Lambda functions to check their settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateFunctionConfigurationCommand", "reason": "Update the function's timeout and memory settings." } ], "adviseBeforeFixFunction": "Ensure the updated settings align with the function's performance and cost requirements." }, { "name": "LambdaInsideVPC", "description": "Ensures that AWS Lambda functions are configured to run inside a VPC.", "priority": 1, "priorityReason": "Running Lambda functions inside a VPC provides additional security and control over network traffic.", "awsService": "Lambda", "awsServiceCategory": "Functions", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "subnetIds", "description": "The subnet IDs for the Lambda function to use.", "default": "", "example": "subnet-12345678,subnet-87654321" }, { "name": "securityGroupIds", "description": "The security group IDs for the Lambda function to use.", "default": "", "example": "sg-12345678,sg-87654321" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListFunctionsCommand", "reason": "Retrieve the list of Lambda functions to check their VPC configurations." } ], "commandUsedInFixFunction": [ { "name": "UpdateFunctionConfigurationCommand", "reason": "Configure the function to use a VPC." } ], "adviseBeforeFixFunction": "Ensure the specified subnets and security groups are configured correctly and have necessary permissions." }, { "name": "AuroraLastBackupRecoveryPointCreated", "description": "Ensures that Aurora DB clusters have a recent recovery point created.", "priority": 1, "priorityReason": "Recent backups ensure data recovery in case of accidental deletion or corruption.", "awsService": "RDS", "awsServiceCategory": "Aurora Clusters", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve the list of Aurora DB clusters." }, { "name": "DescribeDBClusterSnapshotsCommand", "reason": "Check the most recent recovery point for each cluster." } ], "commandUsedInFixFunction": [ { "name": "CreateDBClusterSnapshotCommand", "reason": "Create a new recovery point for the Aurora DB cluster." } ], "adviseBeforeFixFunction": "Ensure the DB cluster is in a stable state before creating a snapshot." }, { "name": "AuroraMySQLBacktrackingEnabled", "description": "Ensures that backtracking is enabled for Aurora MySQL clusters.", "priority": 2, "priorityReason": "Backtracking allows quick recovery from accidental data modifications.", "awsService": "RDS", "awsServiceCategory": "Aurora Clusters", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [ { "name": "backtrackWindow", "description": "The backtracking window in seconds.", "default": "86400", "example": "86400" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve the list of Aurora MySQL clusters and check their backtracking configuration." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBClusterCommand", "reason": "Enable backtracking for the Aurora MySQL cluster." } ], "adviseBeforeFixFunction": "Ensure enabling backtracking does not disrupt the current cluster configuration." }, { "name": "DBInstanceBackupEnabled", "description": "Ensures that backups are enabled for RDS instances.", "priority": 1, "priorityReason": "Enabling backups is critical for disaster recovery and data protection.", "awsService": "RDS", "awsServiceCategory": "Instances", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [ { "name": "backupRetentionPeriod", "description": "The number of days to retain automated backups.", "default": "7", "example": "7" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBInstancesCommand", "reason": "Retrieve the list of RDS instances and check their backup settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBInstanceCommand", "reason": "Enable automated backups for the RDS instance." } ], "adviseBeforeFixFunction": "Ensure the backup retention policy meets organizational recovery requirements." }, { "name": "RDSClusterIAMAuthenticationEnabled", "description": "Ensures that IAM authentication is enabled for RDS clusters.", "priority": 2, "priorityReason": "IAM authentication simplifies credential management and enhances security.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve the list of RDS clusters and check their IAM authentication settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBClusterCommand", "reason": "Enable IAM authentication for the RDS cluster." } ], "adviseBeforeFixFunction": "Ensure IAM roles are properly configured to support database authentication." }, { "name": "RDSClusterDeletionProtectionEnabled", "description": "Ensures that deletion protection is enabled for RDS clusters.", "priority": 1, "priorityReason": "Deletion protection prevents accidental deletion of critical RDS clusters.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve the list of RDS clusters and check their deletion protection settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBClusterCommand", "reason": "Enable deletion protection for the RDS cluster." } ], "adviseBeforeFixFunction": "Ensure deletion protection aligns with operational requirements and does not block intentional deletions." }, { "name": "RDSClusterEncryptedAtRest", "description": "Ensures that RDS clusters are encrypted at rest.", "priority": 1, "priorityReason": "Encryption at rest protects sensitive data stored in RDS clusters.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve the list of RDS clusters and check their encryption settings." } ], "commandUsedInFixFunction": [ { "name": "CreateDBClusterCommand", "reason": "Recreate the RDS cluster with encryption enabled." } ], "adviseBeforeFixFunction": "Ensure data migration is planned before recreating the RDS cluster with encryption." }, { "name": "S3BucketVersioningEnabled", "description": "Ensures that S3 bucket versioning is enabled.", "priority": 1, "priorityReason": "Enabling versioning helps protect against accidental overwrites and deletions.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Resilience", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetBucketVersioningCommand", "reason": "Check if versioning is enabled for the S3 bucket." } ], "commandUsedInFixFunction": [ { "name": "PutBucketVersioningCommand", "reason": "Enable versioning for the S3 bucket." } ], "adviseBeforeFixFunction": "Ensure that enabling versioning aligns with cost and recovery policies." }, { "name": "S3BucketSSLRequestsOnly", "description": "Ensures that S3 buckets require SSL for requests.", "priority": 1, "priorityReason": "Requiring SSL ensures secure data transmission to and from the bucket.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetBucketPolicyCommand", "reason": "Retrieve the bucket policy to check for SSL enforcement." } ], "commandUsedInFixFunction": [ { "name": "PutBucketPolicyCommand", "reason": "Update or create a bucket policy to enforce SSL requests." } ], "adviseBeforeFixFunction": "Review the impact of enforcing SSL on applications accessing the bucket." }, { "name": "S3BucketLoggingEnabled", "description": "Ensures that S3 bucket logging is enabled.", "priority": 2, "priorityReason": "Bucket logging helps in auditing and monitoring access patterns.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "targetBucket", "description": "The target bucket for storing access logs.", "default": "", "example": "my-log-bucket" }, { "name": "targetPrefix", "description": "The prefix for log file names.", "default": "", "example": "logs/" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetBucketLoggingCommand", "reason": "Retrieve the bucket logging configuration." } ], "commandUsedInFixFunction": [ { "name": "PutBucketLoggingCommand", "reason": "Enable logging for the S3 bucket." } ], "adviseBeforeFixFunction": "Ensure the target bucket exists and has the necessary permissions for logging." }, { "name": "S3BucketDefaultLockEnabled", "description": "Ensures that S3 Object Lock is enabled by default on buckets.", "priority": 1, "priorityReason": "Object Lock protects objects against deletion or modification for a specified period.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "GetObjectLockConfigurationCommand", "reason": "Check if the S3 bucket has default Object Lock enabled." } ], "commandUsedInFixFunction": [ { "name": "CreateBucketCommand", "reason": "Recreate the bucket with Object Lock enabled." } ], "adviseBeforeFixFunction": "Recreating a bucket deletes its existing data. Ensure proper data migration is planned." }, { "name": "SecretsManagerRotationEnabledCheck", "description": "Ensures that secret rotation is enabled for AWS Secrets Manager secrets.", "priority": 1, "priorityReason": "Enabling rotation reduces the risk of credential compromise by regularly updating them.", "awsService": "SecretsManager", "awsServiceCategory": "Secrets", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "rotationLambdaARN", "description": "The ARN of the Lambda function to handle rotation.", "default": "", "example": "arn:aws:lambda:us-east-1:123456789012:function:MyRotationLambda" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListSecretsCommand", "reason": "Retrieve the list of Secrets Manager secrets." } ], "commandUsedInFixFunction": [ { "name": "RotateSecretCommand", "reason": "Enable rotation for the secret." } ], "adviseBeforeFixFunction": "Ensure that the rotation Lambda function is configured correctly to handle secret updates." }, { "name": "SecretsManagerScheduledRotationSuccessCheck", "description": "Ensures that secrets with rotation enabled have been rotated successfully within the scheduled time.", "priority": 1, "priorityReason": "Ensuring timely rotation protects against stale or compromised credentials.", "awsService": "SecretsManager", "awsServiceCategory": "Secrets", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListSecretsCommand", "reason": "Retrieve the list of Secrets Manager secrets." } ], "commandUsedInFixFunction": [ { "name": "RotateSecretCommand", "reason": "Force rotation of the secret to update it." } ], "adviseBeforeFixFunction": "Verify that the rotation Lambda function is active and can handle forced rotation." }, { "name": "SecretsManagerSecretPeriodicRotation", "description": "Ensures that secrets are rotated periodically, at least every 90 days.", "priority": 2, "priorityReason": "Periodic rotation helps mitigate risks of long-lived credentials.", "awsService": "SecretsManager", "awsServiceCategory": "Secrets", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "rotationDays", "description": "The number of days after which the secret should be rotated.", "default": "90", "example": "90" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListSecretsCommand", "reason": "Retrieve the list of Secrets Manager secrets." } ], "commandUsedInFixFunction": [ { "name": "UpdateSecretCommand", "reason": "Set the rotation schedule for the secret." } ], "adviseBeforeFixFunction": "Ensure rotation rules align with organizational policies and application dependencies." }, { "name": "SecurityHubEnabled", "description": "Ensures that AWS Security Hub is enabled for the AWS account.", "priority": 1, "priorityReason": "Enabling Security Hub is critical for monitoring and managing security across AWS accounts.", "awsService": "SecurityHub", "awsServiceCategory": "Security Monitoring", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeHubCommand", "reason": "Check if Security Hub is enabled in the account." } ], "commandUsedInFixFunction": [ { "name": "EnableSecurityHubCommand", "reason": "Enable Security Hub for the account." } ], "adviseBeforeFixFunction": "Ensure that enabling Security Hub aligns with organizational policies and cost considerations." }, { "name": "SNSEncryptedKMS", "description": "Ensures that SNS topics are encrypted using KMS keys.", "priority": 2, "priorityReason": "Encrypting SNS topics helps protect sensitive data transmitted via notifications.", "awsService": "SNS", "awsServiceCategory": "Topics", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "kmsKeyId", "description": "The KMS key ID or ARN to encrypt the SNS topic.", "default": "", "example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListTopicsCommand", "reason": "Retrieve the list of SNS topics." }, { "name": "GetTopicAttributesCommand", "reason": "Check the encryption settings of each SNS topic." } ], "commandUsedInFixFunction": [ { "name": "SetTopicAttributesCommand", "reason": "Enable encryption for the SNS topic." } ], "adviseBeforeFixFunction": "Ensure the KMS key is configured correctly and accessible by SNS." }, { "name": "SNSTopicMessageDeliveryNotificationEnabled", "description": "Ensures that SNS topics are configured to send delivery notifications.", "priority": 3, "priorityReason": "Enabling delivery notifications ensures visibility into message delivery status.", "awsService": "SNS", "awsServiceCategory": "Topics", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "feedbackRoleArn", "description": "The ARN of the IAM role to enable delivery notifications.", "default": "", "example": "arn:aws:iam::123456789012:role/SNSDeliveryRole" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListTopicsCommand", "reason": "Retrieve the list of SNS topics." }, { "name": "GetTopicAttributesCommand", "reason": "Check if delivery notifications are enabled for each topic." } ], "commandUsedInFixFunction": [ { "name": "SetTopicAttributesCommand", "reason": "Enable delivery notifications for the SNS topic." } ], "adviseBeforeFixFunction": "Ensure the IAM role has the appropriate permissions to manage delivery notifications." }, { "name": "EC2TransitGatewayAutoVPCAttachDisabled", "description": "Ensures that the auto-attach feature of Transit Gateways is disabled.", "priority": 1, "priorityReason": "Disabling auto-attach ensures manual control over VPC attachments, enhancing security and governance.", "awsService": "EC2", "awsServiceCategory": "Transit Gateways", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTransitGatewaysCommand", "reason": "Retrieve the list of Transit Gateways and check their auto-attach settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyTransitGatewayCommand", "reason": "Disable the auto-attach feature for the Transit Gateway." } ], "adviseBeforeFixFunction": "Verify that no active auto-attached VPCs will be impacted by disabling this feature." }, { "name": "RestrictedSSH", "description": "Ensures that SSH access (port 22) is restricted to trusted sources.", "priority": 1, "priorityReason": "Restricting SSH access prevents unauthorized access to resources and strengthens security.", "awsService": "EC2", "awsServiceCategory": "Security Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeSecurityGroupRulesCommand", "reason": "Retrieve security group rules to check for unrestricted SSH access." } ], "commandUsedInFixFunction": [ { "name": "RevokeSecurityGroupIngressCommand", "reason": "Revoke rules allowing unrestricted SSH access." } ], "adviseBeforeFixFunction": "Ensure that legitimate users have alternative access paths before restricting SSH access." }, { "name": "SubnetAutoAssignPublicIPDisabled", "description": "Ensures that subnets are not configured to automatically assign public IP addresses.", "priority": 2, "priorityReason": "Disabling automatic public IP assignment helps prevent unintended exposure of resources to the internet.", "awsService": "EC2", "awsServiceCategory": "Subnets", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeSubnetsCommand", "reason": "Retrieve the list of subnets and check their public IP assignment settings." } ], "commandUsedInFixFunction": [ { "name": "ModifySubnetAttributeCommand", "reason": "Disable automatic public IP assignment for the subnet." } ], "adviseBeforeFixFunction": "Ensure no essential resources require public IPs before disabling this feature." }, { "name": "VPCFlowLogsEnabled", "description": "Ensures that flow logs are enabled for all VPCs.", "priority": 1, "priorityReason": "Enabling flow logs provides visibility into network traffic and helps with troubleshooting and auditing.", "awsService": "EC2", "awsServiceCategory": "VPCs", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "logGroupName", "description": "The name of the CloudWatch log group to store flow logs.", "default": "", "example": "VPCFlowLogs" }, { "name": "iamRoleArn", "description": "The ARN of the IAM role with permissions to publish flow logs to CloudWatch.", "default": "", "example": "arn:aws:iam::123456789012:role/FlowLogsRole" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeVpcsCommand", "reason": "Retrieve the list of VPCs and check if flow logs are enabled." } ], "commandUsedInFixFunction": [ { "name": "CreateFlowLogsCommand", "reason": "Enable flow logs for the VPC." } ], "adviseBeforeFixFunction": "Ensure CloudWatch and IAM role configurations are prepared to handle the new logs." }, { "name": "VPCDefaultSecurityGroupClosed", "description": "Ensures that default security groups have no inbound or outbound rules.", "priority": 1, "priorityReason": "Closing default security groups prevents unintended access and strengthens security.", "awsService": "EC2", "awsServiceCategory": "Security Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeSecurityGroupsCommand", "reason": "Retrieve default security groups and check their rules." } ], "commandUsedInFixFunction": [ { "name": "RevokeSecurityGroupIngressCommand", "reason": "Remove all inbound rules from the default security group." }, { "name": "RevokeSecurityGroupEgressCommand", "reason": "Remove all outbound rules from the default security group." } ], "adviseBeforeFixFunction": "Ensure no critical dependencies are relying on the default security group rules." }, { "name": "WAFv2LoggingEnabled", "description": "Ensures that logging is enabled for WAFv2 Web ACLs.", "priority": 1, "priorityReason": "Logging provides visibility into WAF actions and helps in auditing and debugging.", "awsService": "WAFv2", "awsServiceCategory": "Web ACLs", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "logDestinationArn", "description": "The ARN of the log group or Kinesis Data Firehose for logging.", "default": "", "example": "arn:aws:logs:us-east-1:123456789012:log-group:WAFLogs" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetLoggingConfigurationCommand", "reason": "Check if logging is enabled for WAF Web ACLs." }, { "name": "ListWebACLsCommand", "reason": "Retrieve the list of Web ACLs." } ], "commandUsedInFixFunction": [ { "name": "PutLoggingConfigurationCommand", "reason": "Enable logging for WAF Web ACLs." } ], "adviseBeforeFixFunction": "Ensure the log destination (CloudWatch Logs or Kinesis Data Firehose) is configured correctly." }, { "name": "WAFv2RuleGroupLoggingEnabled", "description": "Ensures that logging is enabled for WAFv2 Rule Groups.", "priority": 2, "priorityReason": "Logging for Rule Groups provides visibility into their actions, helping in auditing and debugging.", "awsService": "WAFv2", "awsServiceCategory": "Rule Groups", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetRuleGroupCommand", "reason": "Retrieve the details of WAF Rule Groups to check their logging configuration." }, { "name": "ListRuleGroupsCommand", "reason": "Retrieve the list of Rule Groups." } ], "commandUsedInFixFunction": [ { "name": "UpdateRuleGroupCommand", "reason": "Enable logging for the WAF Rule Group." } ], "adviseBeforeFixFunction": "Ensure metrics and logs are enabled for related Rule Groups." }, { "name": "WAFv2RuleGroupNotEmpty", "description": "Ensures that WAFv2 Rule Groups are not empty.", "priority": 2, "priorityReason": "Empty Rule Groups do not provide any protective measures, making them ineffective.", "awsService": "WAFv2", "awsServiceCategory": "Rule Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "rules", "description": "The rules to be added to the Rule Group.", "default": "", "example": "[{\"Name\": \"IPBlock\", \"Priority\": 1, \"Statement\": {\"IPSetReferenceStatement\": {\"ARN\": \"arn:aws:wafv2:...\"}}}]" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetRuleGroupCommand", "reason": "Retrieve details of Rule Groups and check if they contain rules." } ], "commandUsedInFixFunction": [ { "name": "UpdateRuleGroupCommand", "reason": "Add rules to the Rule Group." } ], "adviseBeforeFixFunction": "Ensure the new rules do not conflict with existing configurations." }, { "name": "WAFv2WebACLNotEmpty", "description": "Ensures that WAFv2 Web ACLs contain at least one rule.", "priority": 1, "priorityReason": "Web ACLs without rules do not provide any protection against unwanted traffic.", "awsService": "WAFv2", "awsServiceCategory": "Web ACLs", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "rules", "description": "The rules to be added to the Web ACL.", "default": "", "example": "[{\"Name\": \"BlockBadActors\", \"Priority\": 1, \"Statement\": {\"IPSetReferenceStatement\": {\"ARN\": \"arn:aws:wafv2:...\"}}}]" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetWebACLCommand", "reason": "Retrieve details of Web ACLs to check if they contain rules." }, { "name": "ListWebACLsCommand", "reason": "Retrieve the list of Web ACLs." } ], "commandUsedInFixFunction": [ { "name": "UpdateWebACLCommand", "reason": "Add rules to the Web ACL." } ], "adviseBeforeFixFunction": "Review the rules to ensure they align with your organization's security policies." }, { "name": "RestrictedCommonPorts", "description": "Ensures that security groups restrict access to common ports such as HTTP, SSH, MySQL, and others.", "priority": 1, "priorityReason": "Restricting access to common ports minimizes the risk of unauthorized access.", "awsService": "EC2", "awsServiceCategory": "Security Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeSecurityGroupRulesCommand", "reason": "Retrieve the security group rules to check for unrestricted access to common ports." } ], "commandUsedInFixFunction": [ { "name": "RevokeSecurityGroupIngressCommand", "reason": "Revoke ingress rules that allow unrestricted access to common ports." } ], "adviseBeforeFixFunction": "Review and confirm which ports need to remain open for critical operations." }, { "name": "VPCNetworkACLUnusedCheck", "description": "Ensures that unused network ACLs are identified and marked for removal or optimization.", "priority": 2, "priorityReason": "Unused network ACLs increase administrative overhead and pose a potential security risk if misconfigured.", "awsService": "EC2", "awsServiceCategory": "Network ACLs", "bestPracticeCategory": "Optimization", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeNetworkAclsCommand", "reason": "Retrieve the list of network ACLs to check for unused ones." } ], "commandUsedInFixFunction": [], "adviseBeforeFixFunction": "Ensure that identified unused ACLs are truly unlinked before removing them." }, { "name": "VPCPeeringDNSResolutionCheck", "description": "Ensures that VPC peering connections have DNS resolution enabled.", "priority": 1, "priorityReason": "Enabling DNS resolution improves connectivity and simplifies resource management across peered VPCs.", "awsService": "EC2", "awsServiceCategory": "VPC Peering", "bestPracticeCategory": "Networking", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeVpcPeeringConnectionsCommand", "reason": "Retrieve the list of VPC peering connections and their DNS resolution settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyVpcPeeringConnectionOptionsCommand", "reason": "Enable DNS resolution for the VPC peering connection." } ], "adviseBeforeFixFunction": "Ensure the VPCs involved in the peering connection require DNS resolution." }, { "name": "VPCSGOpenOnlyToAuthorizedPorts", "description": "Ensures that security groups are only open to authorized ports and IP ranges.", "priority": 1, "priorityReason": "Restricting security groups to authorized ports minimizes the risk of exposure to unauthorized access.", "awsService": "EC2", "awsServiceCategory": "Security Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "authorizedPorts", "description": "A list of ports authorized for access.", "default": "[80, 443]", "example": "[80, 443]" } ], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeSecurityGroupRulesCommand", "reason": "Retrieve security group rules to identify unauthorized open ports." } ], "commandUsedInFixFunction": [ { "name": "RevokeSecurityGroupIngressCommand", "reason": "Revoke unauthorized ingress rules from security groups." } ], "adviseBeforeFixFunction": "Validate the list of authorized ports to ensure it meets operational requirements." }, { "name": "S3AccessPointInVpcOnly", "description": "Ensures that S3 access points are restricted to VPCs.", "priority": 1, "priorityReason": "Restricting access points to VPCs enhances security by preventing public access.", "awsService": "S3", "awsServiceCategory": "Access Points", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "vpcId", "description": "The ID of the VPC to which the access point should be restricted.", "default": "", "example": "vpc-12345678" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListAccessPointsCommand", "reason": "Retrieve S3 access points to verify VPC-only settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateAccessPointCommand", "reason": "Restrict the access point to a specific VPC." } ], "adviseBeforeFixFunction": "Ensure the target VPC is configured correctly to support S3 access." }, { "name": "S3BucketLevelPublicAccessProhibited", "description": "Ensures that public access to S3 buckets is restricted.", "priority": 1, "priorityReason": "Restricting public access protects data in the S3 bucket from unauthorized users.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetPublicAccessBlockCommand", "reason": "Retrieve public access block settings for S3 buckets." } ], "commandUsedInFixFunction": [ { "name": "PutPublicAccessBlockCommand", "reason": "Restrict public access to the S3 bucket by enabling public access blocks." } ], "adviseBeforeFixFunction": "Ensure that no applications require public access to the bucket before applying restrictions." }, { "name": "S3DefaultEncryptionKMS", "description": "Ensures that S3 buckets have default encryption enabled using a KMS key.", "priority": 1, "priorityReason": "Default encryption ensures that all objects stored in the bucket are encrypted, protecting sensitive data.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "kmsKeyId", "description": "The KMS key ID or ARN to enable default encryption.", "default": "", "example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetBucketEncryptionCommand", "reason": "Check if default encryption is enabled for the bucket." } ], "commandUsedInFixFunction": [ { "name": "PutBucketEncryptionCommand", "reason": "Enable default encryption for the bucket." } ], "adviseBeforeFixFunction": "Ensure the KMS key has the necessary permissions to encrypt and decrypt objects." }, { "name": "S3EventNotificationsEnabled", "description": "Ensures that S3 buckets have event notifications enabled for Lambda, SQS, or SNS.", "priority": 2, "priorityReason": "Event notifications facilitate real-time monitoring and automation, improving operational efficiency.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "eventNotificationConfig", "description": "The event notification configuration to apply.", "default": "", "example": "{ \"LambdaFunctionConfigurations\": [...] }" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetBucketNotificationConfigurationCommand", "reason": "Retrieve the event notification configuration for the bucket." } ], "commandUsedInFixFunction": [ { "name": "PutBucketNotificationConfigurationCommand", "reason": "Enable event notifications for the bucket." } ], "adviseBeforeFixFunction": "Ensure that the configured notification targets (Lambda, SQS, SNS) are ready to handle events." }, { "name": "S3LastBackupRecoveryPointCreated", "description": "Ensures that S3 buckets have recent recovery points created within the last 24 hours.", "priority": 1, "priorityReason": "Regular backups ensure data integrity and recoverability in case of data loss.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Backup", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "ListRecoveryPointsByResourceCommand", "reason": "Check the recovery points for the S3 bucket." } ], "commandUsedInFixFunction": [], "adviseBeforeFixFunction": "Ensure the backup mechanism is configured to create recovery points regularly." }, { "name": "S3LifecyclePolicyCheck", "description": "Ensures that S3 buckets have lifecycle policies configured for managing object transitions and expirations.", "priority": 2, "priorityReason": "Lifecycle policies help optimize storage costs by managing object transitions and deletions.", "awsService": "S3", "awsServiceCategory": "Buckets", "bestPracticeCategory": "Optimization", "requiredParametersForFix": [ { "name": "lifecyclePolicy", "description": "The lifecycle policy to apply to the bucket.", "default": "", "example": "{ \"Rules\": [...] }" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetBucketLifecycleConfigurationCommand", "reason": "Retrieve the lifecycle configuration for the bucket." } ], "commandUsedInFixFunction": [ { "name": "PutBucketLifecycleConfigurationCommand", "reason": "Apply lifecycle policies to the bucket." } ], "adviseBeforeFixFunction": "Review lifecycle rules to ensure they align with data retention policies." }, { "name": "RDSClusterAutoMinorVersionUpgradeEnabled", "description": "Ensures that RDS clusters have auto minor version upgrades enabled.", "priority": 2, "priorityReason": "Auto minor version upgrades ensure that RDS clusters stay up-to-date with the latest security and bug fixes.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Maintenance", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve details of RDS clusters to check auto minor version upgrade settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBClusterCommand", "reason": "Enable auto minor version upgrades for the RDS cluster." } ], "adviseBeforeFixFunction": "Ensure that enabling auto minor upgrades does not disrupt application compatibility." }, { "name": "RDSClusterDefaultAdminCheck", "description": "Ensures that RDS clusters do not use default admin usernames like 'admin' or 'postgres'.", "priority": 1, "priorityReason": "Using non-default admin usernames reduces the risk of brute-force attacks.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve details of RDS clusters to check admin usernames." } ], "commandUsedInFixFunction": [], "adviseBeforeFixFunction": "Consider re-creating clusters with non-default admin usernames to enhance security." }, { "name": "RDSClusterMultiAZEnabled", "description": "Ensures that RDS clusters are configured for Multi-AZ deployments.", "priority": 1, "priorityReason": "Multi-AZ deployments provide high availability and fault tolerance for RDS clusters.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Reliability", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve details of RDS clusters to check Multi-AZ settings." } ], "commandUsedInFixFunction": [], "adviseBeforeFixFunction": "Ensure applications can tolerate a potential brief downtime during Multi-AZ deployment configuration." }, { "name": "RDSDBSecurityGroupNotAllowed", "description": "Ensures that RDS clusters do not use default security groups.", "priority": 1, "priorityReason": "Using custom security groups reduces the risk of unintended access to the database.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve details of RDS clusters and their associated security groups." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBClusterCommand", "reason": "Assign a custom security group to the RDS cluster." } ], "adviseBeforeFixFunction": "Ensure that the custom security group allows only authorized traffic." }, { "name": "RDSEnhancedMonitoringEnabled", "description": "Ensures that enhanced monitoring is enabled for RDS instances.", "priority": 2, "priorityReason": "Enhanced monitoring provides deeper insights into database performance and resource usage.", "awsService": "RDS", "awsServiceCategory": "Instances", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "monitoringRoleArn", "description": "The ARN of the IAM role used for enhanced monitoring.", "default": "", "example": "arn:aws:iam::123456789012:role/RDSMonitoringRole" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBInstancesCommand", "reason": "Retrieve details of RDS instances to check monitoring settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBInstanceCommand", "reason": "Enable enhanced monitoring for the RDS instance." } ], "adviseBeforeFixFunction": "Ensure the monitoring IAM role is properly configured with the required permissions." }, { "name": "RDSInstancePublicAccessCheck", "description": "Ensures that RDS instances are not publicly accessible.", "priority": 1, "priorityReason": "Restricting public access reduces the risk of unauthorized access to databases.", "awsService": "RDS", "awsServiceCategory": "Instances", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBInstancesCommand", "reason": "Retrieve details of RDS instances to check public accessibility." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBInstanceCommand", "reason": "Disable public accessibility for the RDS instance." } ], "adviseBeforeFixFunction": "Verify that applications accessing the database are within the same VPC or have secure connectivity." }, { "name": "RDSLoggingEnabled", "description": "Ensures that RDS clusters have logging enabled for supported log types.", "priority": 1, "priorityReason": "Enabling logging provides visibility into database activity and assists with compliance and debugging.", "awsService": "RDS", "awsServiceCategory": "Clusters", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "logTypes", "description": "The list of log types to enable for the RDS cluster.", "default": "", "example": "[\"audit\", \"error\", \"general\", \"slowquery\"]" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClustersCommand", "reason": "Retrieve details of RDS clusters to check their logging settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyDBClusterCommand", "reason": "Enable logging for the RDS cluster." } ], "adviseBeforeFixFunction": "Ensure that the enabled log types align with monitoring and compliance requirements." }, { "name": "RDSSnapshotEncrypted", "description": "Ensures that RDS snapshots are encrypted.", "priority": 1, "priorityReason": "Encrypting snapshots protects sensitive data stored in backups.", "awsService": "RDS", "awsServiceCategory": "Snapshots", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "kmsKeyId", "description": "The KMS key ID or ARN to use for snapshot encryption.", "default": "", "example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeDBClusterSnapshotsCommand", "reason": "Retrieve details of RDS snapshots to check their encryption status." } ], "commandUsedInFixFunction": [ { "name": "CopyDBClusterSnapshotCommand", "reason": "Create an encrypted copy of an unencrypted snapshot." } ], "adviseBeforeFixFunction": "Ensure the KMS key is configured with the appropriate permissions for snapshot encryption." }, { "name": "ElastiCacheReplGrpAutoFailoverEnabled", "description": "Ensures that automatic failover is enabled for ElastiCache replication groups.", "priority": 1, "priorityReason": "Automatic failover provides high availability and reduces downtime in case of failures.", "awsService": "ElastiCache", "awsServiceCategory": "Replication Groups", "bestPracticeCategory": "Reliability", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeReplicationGroupsCommand", "reason": "Retrieve details of ElastiCache replication groups to check their failover settings." } ], "commandUsedInFixFunction": [ { "name": "ModifyReplicationGroupCommand", "reason": "Enable automatic failover for the replication group." } ], "adviseBeforeFixFunction": "Ensure that the replication group is configured for high availability." }, { "name": "ElastiCacheReplGrpEncryptedAtRest", "description": "Ensures that ElastiCache replication groups are encrypted at rest.", "priority": 1, "priorityReason": "Encrypting data at rest protects it from unauthorized access in storage.", "awsService": "ElastiCache", "awsServiceCategory": "Replication Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeReplicationGroupsCommand", "reason": "Retrieve details of ElastiCache replication groups to check their encryption settings." } ], "commandUsedInFixFunction": [], "adviseBeforeFixFunction": "Encryption at rest must be enabled at the time of cluster creation." }, { "name": "ElastiCacheReplGrpEncryptedInTransit", "description": "Ensures that ElastiCache replication groups are encrypted in transit.", "priority": 1, "priorityReason": "Encrypting data in transit protects it from interception during communication.", "awsService": "ElastiCache", "awsServiceCategory": "Replication Groups", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeReplicationGroupsCommand", "reason": "Retrieve details of ElastiCache replication groups to check their in-transit encryption settings." } ], "commandUsedInFixFunction": [], "adviseBeforeFixFunction": "In-transit encryption must be enabled at the time of cluster creation." }, { "name": "ECSAwsVpcNetworkingEnabled", "description": "Ensures that ECS task definitions use the awsvpc networking mode.", "priority": 1, "priorityReason": "Using awsvpc networking mode ensures that tasks receive their own elastic network interfaces for enhanced security.", "awsService": "ECS", "awsServiceCategory": "Task Definitions", "bestPracticeCategory": "Networking", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeTaskDefinitionCommand", "reason": "Retrieve details of ECS task definitions to check their network mode." } ], "commandUsedInFixFunction": [ { "name": "RegisterTaskDefinitionCommand", "reason": "Re-register the task definition with the awsvpc networking mode." } ], "adviseBeforeFixFunction": "Ensure that the VPC and subnets are configured to support the awsvpc networking mode." }, { "name": "ECSContainersReadonlyAccess", "description": "Ensures that ECS containers are configured with read-only root file systems.", "priority": 2, "priorityReason": "Using read-only root file systems reduces the risk of unauthorized changes to the container's file system.", "awsService": "ECS", "awsServiceCategory": "Task Definitions", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeTaskDefinitionCommand", "reason": "Retrieve details of ECS task definitions to check container file system permissions." } ], "commandUsedInFixFunction": [ { "name": "RegisterTaskDefinitionCommand", "reason": "Re-register the task definition with read-only root file systems for containers." } ], "adviseBeforeFixFunction": "Verify that the application does not require write access to the container's root file system." }, { "name": "ECSFargateLatestPlatformVersion", "description": "Ensures that ECS services use the latest Fargate platform version.", "priority": 2, "priorityReason": "Using the latest platform version ensures access to the latest features and bug fixes.", "awsService": "ECS", "awsServiceCategory": "Services", "bestPracticeCategory": "Maintenance", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeServicesCommand", "reason": "Retrieve details of ECS services to check their platform version." } ], "commandUsedInFixFunction": [ { "name": "UpdateServiceCommand", "reason": "Update the service to use the latest Fargate platform version." } ], "adviseBeforeFixFunction": "Ensure that updating the platform version does not disrupt service operations." }, { "name": "ECRKmsEncryption1", "description": "Ensures that ECR repositories are encrypted using KMS keys.", "priority": 1, "priorityReason": "Encrypting ECR repositories with KMS keys protects sensitive data from unauthorized access.", "awsService": "ECR", "awsServiceCategory": "Repositories", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "kmsKeyId", "description": "The KMS key ID or ARN to use for encryption.", "default": "", "example": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeRepositoriesCommand", "reason": "Retrieve details of ECR repositories to check their encryption settings." } ], "commandUsedInFixFunction": [ { "name": "PutEncryptionConfigurationCommand", "reason": "Enable KMS encryption for the ECR repository." } ], "adviseBeforeFixFunction": "Ensure the KMS key is properly configured with permissions to encrypt and decrypt ECR repository data." }, { "name": "EC2EbsEncryptionByDefault", "description": "Ensures that EBS volumes are encrypted by default.", "priority": 1, "priorityReason": "Default encryption ensures all newly created EBS volumes are protected by encryption.", "awsService": "EC2", "awsServiceCategory": "EBS", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetEbsEncryptionByDefaultCommand", "reason": "Check if EBS encryption by default is enabled." } ], "commandUsedInFixFunction": [ { "name": "EnableEbsEncryptionByDefaultCommand", "reason": "Enable EBS encryption by default." } ], "adviseBeforeFixFunction": "Ensure that encryption requirements align with organizational security policies." }, { "name": "EC2Imdsv2Check", "description": "Ensures that EC2 instances require IMDSv2 for metadata access.", "priority": 1, "priorityReason": "Requiring IMDSv2 improves instance metadata security by preventing SSRF attacks.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeInstancesCommand", "reason": "Retrieve details of EC2 instances to check their metadata options." } ], "commandUsedInFixFunction": [ { "name": "ModifyInstanceMetadataOptionsCommand", "reason": "Enforce IMDSv2 on EC2 instances." } ], "adviseBeforeFixFunction": "Verify that applications using instance metadata are compatible with IMDSv2." }, { "name": "EC2InstanceDetailedMonitoringEnabled", "description": "Ensures that EC2 instances have detailed monitoring enabled.", "priority": 2, "priorityReason": "Detailed monitoring provides granular metrics for resource usage and performance analysis.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeInstancesCommand", "reason": "Retrieve details of EC2 instances to check their monitoring state." } ], "commandUsedInFixFunction": [ { "name": "MonitorInstancesCommand", "reason": "Enable detailed monitoring on EC2 instances." } ], "adviseBeforeFixFunction": "Ensure that enabling detailed monitoring aligns with operational requirements." }, { "name": "EC2InstanceManagedBySystemsManager", "description": "Ensures that EC2 instances are managed by AWS Systems Manager.", "priority": 2, "priorityReason": "Using Systems Manager simplifies management tasks such as patching, configuration, and automation.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Management", "requiredParametersForFix": [ { "name": "iamRole", "description": "The IAM role to attach to the instance for Systems Manager.", "default": "", "example": "arn:aws:iam::123456789012:role/SSMRole" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeInstanceInformationCommand", "reason": "Check if instances are registered with Systems Manager." } ], "commandUsedInFixFunction": [ { "name": "AttachIamInstanceProfileCommand", "reason": "Attach an IAM role that enables Systems Manager to manage the instance." } ], "adviseBeforeFixFunction": "Ensure the IAM role has the necessary permissions for Systems Manager operations." }, { "name": "EC2NoAmazonKeyPair", "description": "Ensures that EC2 instances do not use Amazon-provided key pairs for authentication.", "priority": 1, "priorityReason": "Using custom key pairs ensures that access to EC2 instances is controlled by the organization.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "newKeyPair", "description": "The custom key pair to use for the EC2 instance.", "default": "", "example": "my-custom-keypair" } ], "isFixFunctionUsesDestructiveCommand": true, "commandUsedInCheckFunction": [ { "name": "DescribeInstancesCommand", "reason": "Retrieve details of EC2 instances to check their key pair settings." } ], "commandUsedInFixFunction": [ { "name": "RecreateInstanceWithNewKeyPairCommand", "reason": "Recreate the instance with a custom key pair." } ], "adviseBeforeFixFunction": "Ensure that the new key pair is securely stored and accessible." }, { "name": "EC2TokenHopLimitCheck", "description": "Ensures that EC2 instance metadata service has a low token hop limit configured.", "priority": 2, "priorityReason": "Reducing the hop limit minimizes the risk of metadata interception in multi-hop scenarios.", "awsService": "EC2", "awsServiceCategory": "Instances", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "hopLimit", "description": "The maximum number of hops allowed for the metadata service.", "default": "1", "example": "1" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeInstancesCommand", "reason": "Retrieve details of EC2 instances to check their metadata service hop limit." } ], "commandUsedInFixFunction": [ { "name": "ModifyInstanceMetadataOptionsCommand", "reason": "Set the hop limit for the instance metadata service." } ], "adviseBeforeFixFunction": "Ensure that the hop limit setting does not interfere with legitimate application behavior." }, { "name": "DynamoDBTableEncryptionEnabled", "description": "Ensures that DynamoDB tables are encrypted at rest.", "priority": 1, "priorityReason": "Encrypting DynamoDB tables protects sensitive data stored in the database.", "awsService": "DynamoDB", "awsServiceCategory": "Tables", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeTableCommand", "reason": "Retrieve details of DynamoDB tables to check their encryption settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateTableCommand", "reason": "Enable encryption for the DynamoDB table." } ], "adviseBeforeFixFunction": "Ensure that enabling encryption aligns with your organization's data security policies." }, { "name": "CWLogGroupRetentionPeriodCheck", "description": "Ensures that CloudWatch log groups have a defined retention period.", "priority": 2, "priorityReason": "Defining a retention period reduces storage costs and ensures logs are not kept indefinitely.", "awsService": "CloudWatch", "awsServiceCategory": "Logs", "bestPracticeCategory": "Cost Optimization", "requiredParametersForFix": [ { "name": "retentionDays", "description": "The number of days to retain log data.", "default": "30", "example": "7" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeLogGroupsCommand", "reason": "Retrieve details of CloudWatch log groups to check their retention settings." } ], "commandUsedInFixFunction": [ { "name": "PutRetentionPolicyCommand", "reason": "Set the retention period for CloudWatch log groups." } ], "adviseBeforeFixFunction": "Choose a retention period that balances storage costs and compliance requirements." }, { "name": "CloudFrontS3OriginAccessControlEnabled", "description": "Ensures that CloudFront distributions with S3 origins have origin access control enabled.", "priority": 1, "priorityReason": "Using origin access control restricts access to S3 buckets, enhancing security.", "awsService": "CloudFront", "awsServiceCategory": "Distributions", "bestPracticeCategory": "Security", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetDistributionCommand", "reason": "Retrieve CloudFront distribution configurations to check origin access settings." } ], "commandUsedInFixFunction": [ { "name": "UpdateDistributionCommand", "reason": "Enable origin access control for CloudFront distributions." } ], "adviseBeforeFixFunction": "Ensure that enabling origin access control does not disrupt existing functionality." }, { "name": "ALBWAFEnabled", "description": "Ensures that WAF is associated with ALBs.", "priority": 1, "priorityReason": "Associating WAF with ALBs protects against common web attacks.", "awsService": "Elastic Load Balancing", "awsServiceCategory": "Application Load Balancer", "bestPracticeCategory": "Security", "requiredParametersForFix": [ { "name": "webAclArn", "description": "The ARN of the WAF ACL to associate with the ALB.", "default": "", "example": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "GetWebAclForResourceCommand", "reason": "Check if a WAF is associated with the ALB." } ], "commandUsedInFixFunction": [ { "name": "AssociateWebAclCommand", "reason": "Associate a WAF ACL with the ALB." } ], "adviseBeforeFixFunction": "Ensure the WAF ACL has the appropriate rules for the application's requirements." }, { "name": "ELBCrossZoneLoadBalancingEnabled", "description": "Ensures that cross-zone load balancing is enabled for load balancers.", "priority": 2, "priorityReason": "Cross-zone load balancing distributes traffic evenly across all registered targets.", "awsService": "Elastic Load Balancing", "awsServiceCategory": "Load Balancer", "bestPracticeCategory": "Reliability", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeLoadBalancerAttributesCommand", "reason": "Check if cross-zone load balancing is enabled for load balancers." } ], "commandUsedInFixFunction": [ { "name": "ModifyLoadBalancerAttributesCommand", "reason": "Enable cross-zone load balancing for load balancers." } ], "adviseBeforeFixFunction": "Ensure enabling cross-zone load balancing aligns with traffic distribution goals." }, { "name": "ELBDeletionProtectionEnabled", "description": "Ensures that deletion protection is enabled for load balancers.", "priority": 1, "priorityReason": "Enabling deletion protection prevents accidental deletion of load balancers.", "awsService": "Elastic Load Balancing", "awsServiceCategory": "Load Balancer", "bestPracticeCategory": "Reliability", "requiredParametersForFix": [], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeLoadBalancerAttributesCommand", "reason": "Check if deletion protection is enabled for load balancers." } ], "commandUsedInFixFunction": [ { "name": "ModifyLoadBalancerAttributesCommand", "reason": "Enable deletion protection for load balancers." } ], "adviseBeforeFixFunction": "Verify that deletion protection is necessary for the load balancer's lifecycle management." }, { "name": "ELBLoggingEnabled", "description": "Ensures that access logs are enabled for load balancers.", "priority": 1, "priorityReason": "Enabling access logs helps with debugging and analyzing traffic patterns.", "awsService": "Elastic Load Balancing", "awsServiceCategory": "Load Balancer", "bestPracticeCategory": "Monitoring", "requiredParametersForFix": [ { "name": "s3BucketName", "description": "The S3 bucket to store access logs.", "default": "", "example": "my-logs-bucket" } ], "isFixFunctionUsesDestructiveCommand": false, "commandUsedInCheckFunction": [ { "name": "DescribeLoadBalancerAttributesCommand", "reason": "Check if access logging is enabled for load balancers." } ], "commandUsedInFixFunction": [ { "name": "ModifyLoadBalancerAttributesCommand", "reason": "Enable access logs for load balancers." } ], "adviseBeforeFixFunction": "Ensure that the specified S3 bucket exists and has permissions to receive access logs." } ]