From c8ad117387281a96ea065cc62e80a6a814855a01 Mon Sep 17 00:00:00 2001 From: bensonce <133029270+bensonce@users.noreply.github.com> Date: Wed, 1 Jan 2025 00:05:46 +0000 Subject: [PATCH] Automatic updates to AWS managed Config Rules --- files/pack-rules-list.txt | 7 +- files/pack-rules.yaml | 873 ++++++++++++------------------------- managed_rules_locals.tf | 300 ++++++++++++- managed_rules_variables.tf | 233 ++++++++++ 4 files changed, 808 insertions(+), 605 deletions(-) diff --git a/files/pack-rules-list.txt b/files/pack-rules-list.txt index a82b99e..066a9e9 100644 --- a/files/pack-rules-list.txt +++ b/files/pack-rules-list.txt @@ -35,11 +35,6 @@ Operational-Best-Practices-for-CISA-Cyber-Essentials Operational-Best-Practices-for-CJIS Operational-Best-Practices-for-CMMC-2.0-Level-1 Operational-Best-Practices-for-CMMC-2.0-Level-2 -Operational-Best-Practices-for-CMMC-Level-1 -Operational-Best-Practices-for-CMMC-Level-2 -Operational-Best-Practices-for-CMMC-Level-3 -Operational-Best-Practices-for-CMMC-Level-4 -Operational-Best-Practices-for-CMMC-Level-5 Operational-Best-Practices-for-CloudWatch Operational-Best-Practices-for-Compute-Services Operational-Best-Practices-for-Data-Resiliency @@ -81,6 +76,8 @@ Operational-Best-Practices-for-NIST-Privacy-Framework Operational-Best-Practices-for-NYDFS-23-NYCRR-500 Operational-Best-Practices-for-NZISM Operational-Best-Practices-for-Networking-Services +Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes +Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes Operational-Best-Practices-for-PCI-DSS Operational-Best-Practices-for-Publicly-Accessible-Resources Operational-Best-Practices-for-RBI-Basic-Cyber-Security-Framework diff --git a/files/pack-rules.yaml b/files/pack-rules.yaml index fc1455c..e5c735f 100644 --- a/files/pack-rules.yaml +++ b/files/pack-rules.yaml @@ -1,4 +1,4 @@ -generated_on: '2024-09-15T00:05:29Z' +generated_on: '2025-01-01T00:05:33Z' packs: AWS-Control-Tower-Detective-Guardrails: - autoscaling-launch-config-public-ip-disabled @@ -117,6 +117,7 @@ packs: - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -241,6 +242,7 @@ packs: - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -365,6 +367,7 @@ packs: - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-instance-public-access-check - rds-logging-enabled @@ -767,6 +770,7 @@ packs: - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -891,6 +895,7 @@ packs: - opensearch-data-node-fault-tolerance - opensearch-logs-to-cloudwatch - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -1104,6 +1109,7 @@ packs: - elb-deletion-protection-enabled - fsx-resources-protected-by-backup-plan - lambda-concurrency-check + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-multi-az-support @@ -1437,6 +1443,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -1548,6 +1555,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -1660,6 +1668,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -2019,6 +2028,7 @@ packs: - opensearch-https-required - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check - rds-logging-enabled @@ -2149,6 +2159,7 @@ packs: - opensearch-https-required - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check - rds-logging-enabled @@ -2363,6 +2374,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -2472,543 +2484,27 @@ packs: - iam-user-mfa-enabled - iam-user-no-policies-check - iam-user-unused-credentials-check - - kinesis-stream-encrypted - - lambda-function-public-access-prohibited - - lambda-inside-vpc - - mfa-enabled-for-iam-console-access - - multi-region-cloudtrail-enabled - - no-unrestricted-route-to-igw - - opensearch-audit-logging-enabled - - opensearch-encrypted-at-rest - - opensearch-https-required - - opensearch-in-vpc-only - - opensearch-logs-to-cloudwatch - - opensearch-node-to-node-encryption-check - - rds-instance-iam-authentication-enabled - - rds-instance-public-access-check - - rds-logging-enabled - - rds-snapshot-encrypted - - rds-snapshots-public-prohibited - - rds-storage-encrypted - - redshift-audit-logging-enabled - - redshift-cluster-configuration-check - - redshift-cluster-kms-enabled - - redshift-cluster-public-access-check - - redshift-require-tls-ssl - - restricted-common-ports - - restricted-ssh - - root-account-hardware-mfa-enabled - - root-account-mfa-enabled - - s3-account-level-public-access-blocks-periodic - - s3-bucket-acl-prohibited - - s3-bucket-default-lock-enabled - - s3-bucket-level-public-access-prohibited - - s3-bucket-logging-enabled - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - s3-bucket-server-side-encryption-enabled - - s3-bucket-ssl-requests-only - - s3-default-encryption-kms - - sagemaker-endpoint-configuration-kms-key-configured - - sagemaker-notebook-instance-kms-key-configured - - sagemaker-notebook-no-direct-internet-access - - secretsmanager-secret-unused - - secretsmanager-using-cmk - - securityhub-enabled - - sns-encrypted-kms - - subnet-auto-assign-public-ip-disabled - - vpc-default-security-group-closed - - vpc-flow-logs-enabled - - vpc-network-acl-unused-check - - vpc-sg-open-only-to-authorized-ports - - waf-regional-rule-not-empty - - waf-regional-rulegroup-not-empty - - waf-regional-webacl-not-empty - - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-2.0-Level-1: - - access-keys-rotated - - alb-http-drop-invalid-header-enabled - - alb-http-to-https-redirection-check - - alb-waf-enabled - - api-gw-associated-with-waf - - api-gw-execution-logging-enabled - - autoscaling-launch-config-public-ip-disabled - - cloud-trail-cloud-watch-logs-enabled - - cloudtrail-s3-dataevents-enabled - - cloudwatch-alarm-action-check - - dms-replication-not-public - - ebs-snapshot-public-restorable-check - - ec2-imdsv2-check - - ec2-instance-no-public-ip - - ec2-instance-profile-attached - - ec2-instances-in-vpc - - ecr-private-image-scanning-enabled - - elasticsearch-in-vpc-only - - elasticsearch-node-to-node-encryption-check - - elb-acm-certificate-required - - elb-logging-enabled - - elb-tls-https-listeners-only - - emr-kerberos-enabled - - emr-master-no-public-ip - - guardduty-enabled-centralized - - iam-customer-policy-blocked-kms-actions - - iam-group-has-users-check - - iam-inline-policy-blocked-kms-actions - - iam-no-inline-policy-check - - iam-password-policy - - iam-policy-no-statements-with-admin-access - - iam-policy-no-statements-with-full-access - - iam-root-access-key-check - - iam-user-group-membership-check - - iam-user-mfa-enabled - - iam-user-no-policies-check - - iam-user-unused-credentials-check - - internet-gateway-authorized-vpc-only - - lambda-function-public-access-prohibited - - lambda-inside-vpc - - mfa-enabled-for-iam-console-access - - multi-region-cloudtrail-enabled - - no-unrestricted-route-to-igw - - opensearch-in-vpc-only - - opensearch-node-to-node-encryption-check - - rds-instance-public-access-check - - rds-logging-enabled - - rds-snapshots-public-prohibited - - redshift-cluster-public-access-check - - redshift-require-tls-ssl - - restricted-common-ports - - restricted-ssh - - root-account-hardware-mfa-enabled - - root-account-mfa-enabled - - s3-account-level-public-access-blocks-periodic - - s3-bucket-level-public-access-prohibited - - s3-bucket-logging-enabled - - s3-bucket-policy-grantee-check - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - s3-bucket-ssl-requests-only - - sagemaker-notebook-no-direct-internet-access - - secretsmanager-rotation-enabled-check - - secretsmanager-scheduled-rotation-success-check - - securityhub-enabled - - ssm-document-not-public - - subnet-auto-assign-public-ip-disabled - - vpc-default-security-group-closed - - vpc-sg-open-only-to-authorized-ports - - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-2.0-Level-2: - - access-keys-rotated - - account-part-of-organizations - - acm-certificate-expiration-check - - alb-http-drop-invalid-header-enabled - - alb-http-to-https-redirection-check - - alb-waf-enabled - - api-gw-associated-with-waf - - api-gw-cache-enabled-and-encrypted - - api-gw-execution-logging-enabled - - api-gw-ssl-enabled - - autoscaling-launch-config-public-ip-disabled - - backup-plan-min-frequency-and-min-retention-check - - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-encryption-enabled - - cloud-trail-log-file-validation-enabled - - cloudtrail-enabled - - cloudtrail-s3-dataevents-enabled - - cloudtrail-security-trail-enabled - - cloudwatch-alarm-action-check - - cloudwatch-log-group-encrypted - - cmk-backing-key-rotation-enabled - - codebuild-project-envvar-awscred-check - - codebuild-project-source-repo-url-check - - cw-loggroup-retention-period-check - - db-instance-backup-enabled - - dms-replication-not-public - - dynamodb-autoscaling-enabled - - dynamodb-in-backup-plan - - dynamodb-pitr-enabled - - ebs-in-backup-plan - - ebs-optimized-instance - - ebs-snapshot-public-restorable-check - - ec2-ebs-encryption-by-default - - ec2-imdsv2-check - - ec2-instance-managed-by-systems-manager - - ec2-instance-no-public-ip - - ec2-instance-profile-attached - - ec2-instances-in-vpc - - ec2-managedinstance-association-compliance-status-check - - ec2-managedinstance-patch-compliance-status-check - - ec2-stopped-instance - - ec2-volume-inuse-check - - ecr-private-image-scanning-enabled - - efs-encrypted-check - - efs-in-backup-plan - - eip-attached - - elastic-beanstalk-managed-updates-enabled - - elasticache-redis-cluster-automatic-backup-check - - elasticsearch-encrypted-at-rest - - elasticsearch-in-vpc-only - - elasticsearch-node-to-node-encryption-check - - elb-acm-certificate-required - - elb-cross-zone-load-balancing-enabled - - elb-deletion-protection-enabled - - elb-logging-enabled - - elb-tls-https-listeners-only - - elbv2-acm-certificate-required - - emr-kerberos-enabled - - emr-master-no-public-ip - - encrypted-volumes - - guardduty-enabled-centralized - - guardduty-non-archived-findings - - iam-customer-policy-blocked-kms-actions - - iam-group-has-users-check - - iam-inline-policy-blocked-kms-actions - - iam-no-inline-policy-check - - iam-password-policy - - iam-policy-no-statements-with-admin-access - - iam-policy-no-statements-with-full-access - - iam-root-access-key-check - - iam-user-group-membership-check - - iam-user-mfa-enabled - - iam-user-no-policies-check - - iam-user-unused-credentials-check - - internet-gateway-authorized-vpc-only - - kms-cmk-not-scheduled-for-deletion - - lambda-dlq-check - - lambda-function-public-access-prohibited - - lambda-inside-vpc - - mfa-enabled-for-iam-console-access - - multi-region-cloudtrail-enabled - - no-unrestricted-route-to-igw - - opensearch-encrypted-at-rest - - opensearch-in-vpc-only - - opensearch-node-to-node-encryption-check - - rds-automatic-minor-version-upgrade-enabled - - rds-in-backup-plan - - rds-instance-deletion-protection-enabled - - rds-instance-public-access-check - - rds-logging-enabled - - rds-multi-az-support - - rds-snapshot-encrypted - - rds-snapshots-public-prohibited - - rds-storage-encrypted - - redshift-backup-enabled - - redshift-cluster-kms-enabled - - redshift-cluster-maintenancesettings-check - - redshift-cluster-public-access-check - - redshift-require-tls-ssl - - restricted-common-ports - - restricted-ssh - - root-account-hardware-mfa-enabled - - root-account-mfa-enabled - - s3-account-level-public-access-blocks-periodic - - s3-bucket-default-lock-enabled - - s3-bucket-level-public-access-prohibited - - s3-bucket-logging-enabled - - s3-bucket-policy-grantee-check - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - s3-bucket-replication-enabled - - s3-bucket-server-side-encryption-enabled - - s3-bucket-ssl-requests-only - - s3-bucket-versioning-enabled - - s3-default-encryption-kms - - sagemaker-endpoint-configuration-kms-key-configured - - sagemaker-notebook-instance-kms-key-configured - - sagemaker-notebook-no-direct-internet-access - - secretsmanager-rotation-enabled-check - - secretsmanager-scheduled-rotation-success-check - - securityhub-enabled - - sns-encrypted-kms - - ssm-document-not-public - - subnet-auto-assign-public-ip-disabled - - vpc-default-security-group-closed - - vpc-sg-open-only-to-authorized-ports - - vpc-vpn-2-tunnels-up - - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-Level-1: - - access-keys-rotated - - alb-http-drop-invalid-header-enabled - - alb-http-to-https-redirection-check - - alb-waf-enabled - - api-gw-associated-with-waf - - api-gw-execution-logging-enabled - - autoscaling-launch-config-public-ip-disabled - - cloud-trail-cloud-watch-logs-enabled - - cloudtrail-enabled - - cloudtrail-s3-dataevents-enabled - - cloudwatch-alarm-action-check - - dms-replication-not-public - - ebs-snapshot-public-restorable-check - - ec2-imdsv2-check - - ec2-instance-no-public-ip - - ec2-instance-profile-attached - - ec2-instances-in-vpc - - elasticsearch-in-vpc-only - - elasticsearch-node-to-node-encryption-check - - elb-acm-certificate-required - - elb-logging-enabled - - elb-tls-https-listeners-only - - emr-kerberos-enabled - - emr-master-no-public-ip - - guardduty-enabled-centralized - - iam-customer-policy-blocked-kms-actions - - iam-group-has-users-check - - iam-inline-policy-blocked-kms-actions - - iam-no-inline-policy-check - - iam-password-policy - - iam-policy-no-statements-with-admin-access - - iam-policy-no-statements-with-full-access - - iam-root-access-key-check - - iam-user-group-membership-check - - iam-user-mfa-enabled - - iam-user-no-policies-check - - iam-user-unused-credentials-check - - internet-gateway-authorized-vpc-only - - lambda-function-public-access-prohibited - - lambda-inside-vpc - - mfa-enabled-for-iam-console-access - - multi-region-cloudtrail-enabled - - no-unrestricted-route-to-igw - - opensearch-in-vpc-only - - opensearch-node-to-node-encryption-check - - rds-instance-public-access-check - - rds-logging-enabled - - rds-snapshots-public-prohibited - - redshift-cluster-public-access-check - - redshift-require-tls-ssl - - restricted-common-ports - - restricted-ssh - - root-account-hardware-mfa-enabled - - root-account-mfa-enabled - - s3-account-level-public-access-blocks-periodic - - s3-bucket-level-public-access-prohibited - - s3-bucket-logging-enabled - - s3-bucket-policy-grantee-check - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - s3-bucket-ssl-requests-only - - sagemaker-notebook-no-direct-internet-access - - secretsmanager-rotation-enabled-check - - secretsmanager-scheduled-rotation-success-check - - securityhub-enabled - - ssm-document-not-public - - subnet-auto-assign-public-ip-disabled - - vpc-default-security-group-closed - - vpc-sg-open-only-to-authorized-ports - - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-Level-2: - - access-keys-rotated - - account-part-of-organizations - - alb-http-drop-invalid-header-enabled - - alb-http-to-https-redirection-check - - alb-waf-enabled - - api-gw-associated-with-waf - - api-gw-cache-enabled-and-encrypted - - api-gw-execution-logging-enabled - - api-gw-ssl-enabled - - autoscaling-group-elb-healthcheck-required - - autoscaling-launch-config-public-ip-disabled - - backup-plan-min-frequency-and-min-retention-check - - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-log-file-validation-enabled - - cloudtrail-enabled - - cloudtrail-s3-dataevents-enabled - - cloudtrail-security-trail-enabled - - cloudwatch-alarm-action-check - - cw-loggroup-retention-period-check - - db-instance-backup-enabled - - dms-replication-not-public - - dynamodb-in-backup-plan - - dynamodb-pitr-enabled - - ebs-in-backup-plan - - ebs-snapshot-public-restorable-check - - ec2-ebs-encryption-by-default - - ec2-imdsv2-check - - ec2-instance-managed-by-systems-manager - - ec2-instance-no-public-ip - - ec2-instance-profile-attached - - ec2-instances-in-vpc - - ec2-managedinstance-association-compliance-status-check - - ec2-managedinstance-patch-compliance-status-check - - ec2-stopped-instance - - ec2-volume-inuse-check - - efs-encrypted-check - - efs-in-backup-plan - - eip-attached - - elastic-beanstalk-managed-updates-enabled - - elasticache-redis-cluster-automatic-backup-check - - elasticsearch-encrypted-at-rest - - elasticsearch-in-vpc-only - - elasticsearch-node-to-node-encryption-check - - elb-acm-certificate-required - - elb-logging-enabled - - elb-tls-https-listeners-only - - elbv2-acm-certificate-required - - emr-kerberos-enabled - - emr-master-no-public-ip - - encrypted-volumes - - guardduty-enabled-centralized - - guardduty-non-archived-findings - - iam-customer-policy-blocked-kms-actions - - iam-group-has-users-check - - iam-inline-policy-blocked-kms-actions - - iam-no-inline-policy-check - - iam-password-policy - - iam-policy-no-statements-with-admin-access - - iam-policy-no-statements-with-full-access - - iam-root-access-key-check - - iam-user-group-membership-check - - iam-user-mfa-enabled - - iam-user-no-policies-check - - iam-user-unused-credentials-check - - internet-gateway-authorized-vpc-only - - lambda-dlq-check - - lambda-function-public-access-prohibited - - lambda-inside-vpc - - mfa-enabled-for-iam-console-access - - multi-region-cloudtrail-enabled - - no-unrestricted-route-to-igw - - opensearch-encrypted-at-rest - - opensearch-in-vpc-only - - opensearch-node-to-node-encryption-check - - rds-automatic-minor-version-upgrade-enabled - - rds-in-backup-plan - - rds-instance-public-access-check - - rds-logging-enabled - - rds-snapshot-encrypted - - rds-snapshots-public-prohibited - - rds-storage-encrypted - - redshift-backup-enabled - - redshift-cluster-kms-enabled - - redshift-cluster-maintenancesettings-check - - redshift-cluster-public-access-check - - redshift-require-tls-ssl - - restricted-common-ports - - restricted-ssh - - root-account-hardware-mfa-enabled - - root-account-mfa-enabled - - s3-account-level-public-access-blocks-periodic - - s3-bucket-level-public-access-prohibited - - s3-bucket-logging-enabled - - s3-bucket-policy-grantee-check - - s3-bucket-public-read-prohibited - - s3-bucket-public-write-prohibited - - s3-bucket-replication-enabled - - s3-bucket-server-side-encryption-enabled - - s3-bucket-ssl-requests-only - - s3-bucket-versioning-enabled - - s3-default-encryption-kms - - sagemaker-endpoint-configuration-kms-key-configured - - sagemaker-notebook-instance-kms-key-configured - - sagemaker-notebook-no-direct-internet-access - - secretsmanager-rotation-enabled-check - - secretsmanager-scheduled-rotation-success-check - - securityhub-enabled - - sns-encrypted-kms - - ssm-document-not-public - - subnet-auto-assign-public-ip-disabled - - vpc-default-security-group-closed - - vpc-sg-open-only-to-authorized-ports - - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-Level-3: - - access-keys-rotated - - account-part-of-organizations - - acm-certificate-expiration-check - - alb-http-drop-invalid-header-enabled - - alb-http-to-https-redirection-check - - alb-waf-enabled - - api-gw-associated-with-waf - - api-gw-cache-enabled-and-encrypted - - api-gw-execution-logging-enabled - - api-gw-ssl-enabled - - autoscaling-group-elb-healthcheck-required - - autoscaling-launch-config-public-ip-disabled - - backup-plan-min-frequency-and-min-retention-check - - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-encryption-enabled - - cloud-trail-log-file-validation-enabled - - cloudtrail-enabled - - cloudtrail-s3-dataevents-enabled - - cloudtrail-security-trail-enabled - - cloudwatch-alarm-action-check - - cloudwatch-log-group-encrypted - - cmk-backing-key-rotation-enabled - - codebuild-project-envvar-awscred-check - - codebuild-project-source-repo-url-check - - cw-loggroup-retention-period-check - - db-instance-backup-enabled - - dms-replication-not-public - - dynamodb-autoscaling-enabled - - dynamodb-in-backup-plan - - dynamodb-pitr-enabled - - ebs-in-backup-plan - - ebs-optimized-instance - - ebs-snapshot-public-restorable-check - - ec2-ebs-encryption-by-default - - ec2-imdsv2-check - - ec2-instance-managed-by-systems-manager - - ec2-instance-no-public-ip - - ec2-instance-profile-attached - - ec2-instances-in-vpc - - ec2-managedinstance-association-compliance-status-check - - ec2-managedinstance-patch-compliance-status-check - - ec2-stopped-instance - - ec2-volume-inuse-check - - ecr-private-image-scanning-enabled - - efs-encrypted-check - - efs-in-backup-plan - - eip-attached - - elastic-beanstalk-managed-updates-enabled - - elasticache-redis-cluster-automatic-backup-check - - elasticsearch-encrypted-at-rest - - elasticsearch-in-vpc-only - - elasticsearch-node-to-node-encryption-check - - elb-acm-certificate-required - - elb-cross-zone-load-balancing-enabled - - elb-deletion-protection-enabled - - elb-logging-enabled - - elb-tls-https-listeners-only - - elbv2-acm-certificate-required - - emr-kerberos-enabled - - emr-master-no-public-ip - - encrypted-volumes - - guardduty-enabled-centralized - - guardduty-non-archived-findings - - iam-customer-policy-blocked-kms-actions - - iam-group-has-users-check - - iam-inline-policy-blocked-kms-actions - - iam-no-inline-policy-check - - iam-password-policy - - iam-policy-no-statements-with-admin-access - - iam-policy-no-statements-with-full-access - - iam-root-access-key-check - - iam-user-group-membership-check - - iam-user-mfa-enabled - - iam-user-no-policies-check - - iam-user-unused-credentials-check - - internet-gateway-authorized-vpc-only - - kms-cmk-not-scheduled-for-deletion - - lambda-dlq-check + - kinesis-stream-encrypted - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw + - opensearch-audit-logging-enabled - opensearch-encrypted-at-rest + - opensearch-https-required - opensearch-in-vpc-only + - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - - rds-automatic-minor-version-upgrade-enabled - - rds-in-backup-plan - - rds-instance-deletion-protection-enabled + - rds-instance-iam-authentication-enabled - rds-instance-public-access-check - rds-logging-enabled - - rds-multi-az-support - rds-snapshot-encrypted - rds-snapshots-public-prohibited - rds-storage-encrypted - - redshift-backup-enabled + - redshift-audit-logging-enabled + - redshift-cluster-configuration-check - redshift-cluster-kms-enabled - - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - restricted-common-ports @@ -3016,94 +2512,57 @@ packs: - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic + - s3-bucket-acl-prohibited - s3-bucket-default-lock-enabled - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled - - s3-bucket-policy-grantee-check - s3-bucket-public-read-prohibited - s3-bucket-public-write-prohibited - - s3-bucket-replication-enabled - s3-bucket-server-side-encryption-enabled - s3-bucket-ssl-requests-only - - s3-bucket-versioning-enabled - s3-default-encryption-kms - sagemaker-endpoint-configuration-kms-key-configured - sagemaker-notebook-instance-kms-key-configured - sagemaker-notebook-no-direct-internet-access - - secretsmanager-rotation-enabled-check - - secretsmanager-scheduled-rotation-success-check + - secretsmanager-secret-unused + - secretsmanager-using-cmk - securityhub-enabled - sns-encrypted-kms - - ssm-document-not-public - subnet-auto-assign-public-ip-disabled - vpc-default-security-group-closed + - vpc-flow-logs-enabled + - vpc-network-acl-unused-check - vpc-sg-open-only-to-authorized-ports - - vpc-vpn-2-tunnels-up + - waf-regional-rule-not-empty + - waf-regional-rulegroup-not-empty + - waf-regional-webacl-not-empty - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-Level-4: + Operational-Best-Practices-for-CMMC-2.0-Level-1: - access-keys-rotated - - account-part-of-organizations - - acm-certificate-expiration-check - alb-http-drop-invalid-header-enabled - alb-http-to-https-redirection-check - alb-waf-enabled - api-gw-associated-with-waf - - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - - api-gw-ssl-enabled - - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled - - cloud-trail-encryption-enabled - - cloud-trail-log-file-validation-enabled - - cloudtrail-enabled - cloudtrail-s3-dataevents-enabled - - cloudtrail-security-trail-enabled - cloudwatch-alarm-action-check - - cloudwatch-log-group-encrypted - - cmk-backing-key-rotation-enabled - - codebuild-project-envvar-awscred-check - - codebuild-project-source-repo-url-check - - cw-loggroup-retention-period-check - - db-instance-backup-enabled - dms-replication-not-public - - dynamodb-autoscaling-enabled - - dynamodb-in-backup-plan - - dynamodb-pitr-enabled - - ebs-in-backup-plan - - ebs-optimized-instance - ebs-snapshot-public-restorable-check - - ec2-ebs-encryption-by-default - ec2-imdsv2-check - - ec2-instance-managed-by-systems-manager - ec2-instance-no-public-ip - ec2-instance-profile-attached - ec2-instances-in-vpc - - ec2-managedinstance-association-compliance-status-check - - ec2-managedinstance-patch-compliance-status-check - - ec2-stopped-instance - - ec2-volume-inuse-check - ecr-private-image-scanning-enabled - - efs-encrypted-check - - efs-in-backup-plan - - eip-attached - - elastic-beanstalk-managed-updates-enabled - - elasticache-redis-cluster-automatic-backup-check - - elasticsearch-encrypted-at-rest - elasticsearch-in-vpc-only - elasticsearch-node-to-node-encryption-check - elb-acm-certificate-required - - elb-cross-zone-load-balancing-enabled - - elb-deletion-protection-enabled - elb-logging-enabled - elb-tls-https-listeners-only - - elbv2-acm-certificate-required - emr-kerberos-enabled - emr-master-no-public-ip - - encrypted-volumes - guardduty-enabled-centralized - - guardduty-non-archived-findings - iam-customer-policy-blocked-kms-actions - iam-group-has-users-check - iam-inline-policy-blocked-kms-actions @@ -3117,28 +2576,16 @@ packs: - iam-user-no-policies-check - iam-user-unused-credentials-check - internet-gateway-authorized-vpc-only - - kms-cmk-not-scheduled-for-deletion - - lambda-dlq-check - lambda-function-public-access-prohibited - lambda-inside-vpc - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - - opensearch-encrypted-at-rest - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check - - rds-automatic-minor-version-upgrade-enabled - - rds-in-backup-plan - - rds-instance-deletion-protection-enabled - rds-instance-public-access-check - rds-logging-enabled - - rds-multi-az-support - - rds-snapshot-encrypted - rds-snapshots-public-prohibited - - rds-storage-encrypted - - redshift-backup-enabled - - redshift-cluster-kms-enabled - - redshift-cluster-maintenancesettings-check - redshift-cluster-public-access-check - redshift-require-tls-ssl - restricted-common-ports @@ -3146,31 +2593,22 @@ packs: - root-account-hardware-mfa-enabled - root-account-mfa-enabled - s3-account-level-public-access-blocks-periodic - - s3-bucket-default-lock-enabled - s3-bucket-level-public-access-prohibited - s3-bucket-logging-enabled - s3-bucket-policy-grantee-check - s3-bucket-public-read-prohibited - s3-bucket-public-write-prohibited - - s3-bucket-replication-enabled - - s3-bucket-server-side-encryption-enabled - s3-bucket-ssl-requests-only - - s3-bucket-versioning-enabled - - s3-default-encryption-kms - - sagemaker-endpoint-configuration-kms-key-configured - - sagemaker-notebook-instance-kms-key-configured - sagemaker-notebook-no-direct-internet-access - secretsmanager-rotation-enabled-check - secretsmanager-scheduled-rotation-success-check - securityhub-enabled - - sns-encrypted-kms - ssm-document-not-public - subnet-auto-assign-public-ip-disabled - vpc-default-security-group-closed - vpc-sg-open-only-to-authorized-ports - - vpc-vpn-2-tunnels-up - wafv2-logging-enabled - Operational-Best-Practices-for-CMMC-Level-5: + Operational-Best-Practices-for-CMMC-2.0-Level-2: - access-keys-rotated - account-part-of-organizations - acm-certificate-expiration-check @@ -3181,7 +2619,6 @@ packs: - api-gw-cache-enabled-and-encrypted - api-gw-execution-logging-enabled - api-gw-ssl-enabled - - autoscaling-group-elb-healthcheck-required - autoscaling-launch-config-public-ip-disabled - backup-plan-min-frequency-and-min-retention-check - cloud-trail-cloud-watch-logs-enabled @@ -3258,6 +2695,7 @@ packs: - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -3297,7 +2735,6 @@ packs: - ssm-document-not-public - subnet-auto-assign-public-ip-disabled - vpc-default-security-group-closed - - vpc-network-acl-unused-check - vpc-sg-open-only-to-authorized-ports - vpc-vpn-2-tunnels-up - wafv2-logging-enabled @@ -3365,6 +2802,7 @@ packs: - dynamodb-table-encrypted-kms - dynamodb-throughput-limit-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-default-admin-check @@ -3694,6 +3132,7 @@ packs: - opensearch-encrypted-at-rest - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-public-access-check - rds-logging-enabled @@ -3821,6 +3260,7 @@ packs: - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -3948,6 +3388,7 @@ packs: - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-logs-to-cloudwatch + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -4078,6 +3519,7 @@ packs: - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -4178,6 +3620,7 @@ packs: - lambda-inside-vpc - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -4290,6 +3733,7 @@ packs: - multi-region-cloudtrail-enabled - no-unrestricted-route-to-igw - opensearch-in-vpc-only + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -4691,6 +4135,7 @@ packs: - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled - rds-cluster-deletion-protection-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-public-access-check @@ -4942,6 +4387,7 @@ packs: - no-unrestricted-route-to-igw - opensearch-encrypted-at-rest - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -5173,6 +4619,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -5343,6 +4790,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -5467,6 +4915,7 @@ packs: - opensearch-encrypted-at-rest - opensearch-in-vpc-only - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -5594,6 +5043,7 @@ packs: - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-iam-authentication-enabled @@ -5904,6 +5354,7 @@ packs: - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled - rds-instance-public-access-check @@ -6079,6 +5530,7 @@ packs: - lambda-inside-vpc - mfa-enabled-for-iam-console-access - multi-region-cloudtrail-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -6200,6 +5652,7 @@ packs: - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-instance-default-admin-check - rds-instance-deletion-protection-enabled @@ -6329,6 +5782,7 @@ packs: - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -6455,6 +5909,7 @@ packs: - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -6583,6 +6038,7 @@ packs: - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch - opensearch-node-to-node-encryption-check + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled @@ -6882,6 +6338,234 @@ packs: - waf-regional-rulegroup-not-empty - waf-regional-webacl-not-empty - wafv2-logging-enabled + Operational-Best-Practices-for-PCI-DSS-v4.0-excluding-global-resourcetypes: + - access-keys-rotated + - acm-certificate-rsa-check + - acm-pca-root-ca-disabled + - api-gw-cache-enabled-and-encrypted + - api-gw-endpoint-type-check + - api-gw-xray-enabled + - api-gwv2-access-logs-enabled + - appsync-associated-with-waf + - appsync-logging-enabled + - athena-workgroup-encrypted-at-rest + - aurora-resources-protected-by-backup-plan + - autoscaling-launchconfig-requires-imdsv2 + - backup-recovery-point-manual-deletion-disabled + - cloudtrail-enabled + - cloudtrail-security-trail-enabled + - cloudwatch-alarm-action-check + - cloudwatch-alarm-resource-check + - cloudwatch-alarm-settings-check + - codebuild-project-artifact-encryption + - codebuild-project-envvar-awscred-check + - codebuild-project-s3-logs-encrypted + - codebuild-project-source-repo-url-check + - codedeploy-lambda-allatonce-traffic-shift-disabled + - cw-loggroup-retention-period-check + - db-instance-backup-enabled + - dms-endpoint-ssl-configured + - dms-redis-tls-enabled + - dynamodb-in-backup-plan + - dynamodb-pitr-enabled + - dynamodb-resources-protected-by-backup-plan + - dynamodb-table-encrypted-kms + - ebs-in-backup-plan + - ebs-resources-protected-by-backup-plan + - ec2-client-vpn-not-authorize-all + - ec2-imdsv2-check + - ec2-instance-detailed-monitoring-enabled + - ec2-instance-profile-attached + - ec2-launch-template-public-ip-disabled + - ec2-no-amazon-key-pair + - ec2-resources-protected-by-backup-plan + - ec2-volume-inuse-check + - ecr-private-lifecycle-policy-configured + - ecs-task-definition-log-configuration + - ecs-task-definition-pid-mode-check + - efs-resources-protected-by-backup-plan + - eks-cluster-logging-enabled + - eks-cluster-oldest-supported-version + - eks-cluster-secrets-encrypted + - eks-endpoint-no-public-access + - eks-secrets-encrypted + - elastic-beanstalk-logs-to-cloudwatch + - elasticache-redis-cluster-automatic-backup-check + - elb-acm-certificate-required + - emr-block-public-access + - fsx-resources-protected-by-backup-plan + - iam-policy-in-use + - internet-gateway-authorized-vpc-only + - kinesis-stream-encrypted + - lambda-function-settings-check + - macie-auto-sensitive-data-discovery-check + - macie-status-check + - mq-cloudwatch-audit-log-enabled + - mq-cloudwatch-audit-logging-enabled + - msk-in-cluster-node-require-tls + - multi-region-cloudtrail-enabled + - nacl-no-unrestricted-ssh-rdp + - neptune-cluster-backup-retention-check + - neptune-cluster-cloudwatch-log-export-enabled + - neptune-cluster-encrypted + - neptune-cluster-iam-database-authentication + - neptune-cluster-snapshot-encrypted + - neptune-cluster-snapshot-public-prohibited + - netfw-logging-enabled + - netfw-policy-default-action-fragment-packets + - netfw-policy-default-action-full-packets + - rds-in-backup-plan + - redshift-backup-enabled + - redshift-cluster-kms-enabled + - redshift-enhanced-vpc-routing-enabled + - restricted-ssh + - s3-access-point-public-access-blocks + - s3-account-level-public-access-blocks + - s3-bucket-blacklisted-actions-prohibited + - s3-bucket-default-lock-enabled + - s3-bucket-mfa-delete-enabled + - s3-bucket-policy-not-more-permissive + - s3-bucket-versioning-enabled + - s3-resources-protected-by-backup-plan + - secretsmanager-scheduled-rotation-success-check + - secretsmanager-secret-periodic-rotation + - secretsmanager-secret-unused + - security-account-information-provided + - service-catalog-shared-within-organization + - sns-topic-message-delivery-notification-enabled + - step-functions-state-machine-logging-enabled + - transfer-family-server-no-ftp + - wafv2-rulegroup-logging-enabled + - wafv2-rulegroup-not-empty + - wafv2-webacl-not-empty + Operational-Best-Practices-for-PCI-DSS-v4.0-including-global-resourcetypes: + - access-keys-rotated + - acm-certificate-rsa-check + - acm-pca-root-ca-disabled + - api-gw-cache-enabled-and-encrypted + - api-gw-endpoint-type-check + - api-gw-xray-enabled + - api-gwv2-access-logs-enabled + - appsync-associated-with-waf + - appsync-logging-enabled + - athena-workgroup-encrypted-at-rest + - aurora-resources-protected-by-backup-plan + - autoscaling-launchconfig-requires-imdsv2 + - backup-recovery-point-manual-deletion-disabled + - cloudformation-stack-notification-check + - cloudfront-accesslogs-enabled + - cloudfront-associated-with-waf + - cloudfront-custom-ssl-certificate + - cloudfront-no-deprecated-ssl-protocols + - cloudfront-origin-access-identity-enabled + - cloudfront-s3-origin-access-control-enabled + - cloudfront-security-policy-check + - cloudfront-sni-enabled + - cloudfront-traffic-to-origin-encrypted + - cloudfront-viewer-policy-https + - cloudtrail-enabled + - cloudtrail-security-trail-enabled + - cloudwatch-alarm-action-check + - cloudwatch-alarm-resource-check + - cloudwatch-alarm-settings-check + - codebuild-project-artifact-encryption + - codebuild-project-envvar-awscred-check + - codebuild-project-s3-logs-encrypted + - codebuild-project-source-repo-url-check + - codedeploy-lambda-allatonce-traffic-shift-disabled + - codepipeline-deployment-count-check + - cw-loggroup-retention-period-check + - dax-encryption-enabled + - dax-tls-endpoint-encryption + - db-instance-backup-enabled + - dms-endpoint-ssl-configured + - dms-redis-tls-enabled + - docdb-cluster-encrypted + - docdb-cluster-snapshot-public-prohibited + - dynamodb-in-backup-plan + - dynamodb-pitr-enabled + - dynamodb-resources-protected-by-backup-plan + - dynamodb-table-encrypted-kms + - dynamodb-table-encryption-enabled + - ebs-in-backup-plan + - ebs-resources-protected-by-backup-plan + - ec2-client-vpn-not-authorize-all + - ec2-imdsv2-check + - ec2-instance-detailed-monitoring-enabled + - ec2-instance-profile-attached + - ec2-launch-template-public-ip-disabled + - ec2-no-amazon-key-pair + - ec2-resources-protected-by-backup-plan + - ec2-transit-gateway-auto-vpc-attach-disabled + - ec2-volume-inuse-check + - ecr-private-lifecycle-policy-configured + - ecs-task-definition-log-configuration + - ecs-task-definition-pid-mode-check + - efs-in-backup-plan + - efs-resources-protected-by-backup-plan + - eks-cluster-logging-enabled + - eks-cluster-oldest-supported-version + - eks-cluster-secrets-encrypted + - eks-endpoint-no-public-access + - eks-secrets-encrypted + - elastic-beanstalk-logs-to-cloudwatch + - elasticache-redis-cluster-automatic-backup-check + - elb-acm-certificate-required + - emr-block-public-access + - fsx-resources-protected-by-backup-plan + - iam-policy-in-use + - internet-gateway-authorized-vpc-only + - kinesis-stream-encrypted + - lambda-function-settings-check + - macie-auto-sensitive-data-discovery-check + - macie-status-check + - mq-cloudwatch-audit-log-enabled + - mq-cloudwatch-audit-logging-enabled + - msk-in-cluster-node-require-tls + - multi-region-cloudtrail-enabled + - nacl-no-unrestricted-ssh-rdp + - neptune-cluster-backup-retention-check + - neptune-cluster-cloudwatch-log-export-enabled + - neptune-cluster-encrypted + - neptune-cluster-iam-database-authentication + - neptune-cluster-snapshot-encrypted + - neptune-cluster-snapshot-public-prohibited + - netfw-logging-enabled + - netfw-policy-default-action-fragment-packets + - netfw-policy-default-action-full-packets + - rds-cluster-iam-authentication-enabled + - rds-db-security-group-not-allowed + - rds-in-backup-plan + - rds-instance-iam-authentication-enabled + - rds-resources-protected-by-backup-plan + - redshift-backup-enabled + - redshift-cluster-kms-enabled + - redshift-enhanced-vpc-routing-enabled + - restricted-ssh + - s3-access-point-public-access-blocks + - s3-account-level-public-access-blocks + - s3-bucket-blacklisted-actions-prohibited + - s3-bucket-default-lock-enabled + - s3-bucket-mfa-delete-enabled + - s3-bucket-policy-not-more-permissive + - s3-bucket-versioning-enabled + - s3-resources-protected-by-backup-plan + - secretsmanager-scheduled-rotation-success-check + - secretsmanager-secret-periodic-rotation + - secretsmanager-secret-unused + - security-account-information-provided + - service-catalog-shared-within-organization + - shield-drt-access + - sns-topic-message-delivery-notification-enabled + - step-functions-state-machine-logging-enabled + - transfer-family-server-no-ftp + - waf-classic-logging-enabled + - waf-global-rule-not-empty + - waf-global-rulegroup-not-empty + - waf-global-webacl-not-empty + - wafv2-rulegroup-logging-enabled + - wafv2-rulegroup-not-empty + - wafv2-webacl-not-empty Operational-Best-Practices-for-Publicly-Accessible-Resources: - autoscaling-launch-config-public-ip-disabled - dms-replication-not-public @@ -7096,6 +6780,7 @@ packs: - opensearch-in-vpc-only - opensearch-logs-to-cloudwatch - rds-automatic-minor-version-upgrade-enabled + - rds-cluster-multi-az-enabled - rds-enhanced-monitoring-enabled - rds-in-backup-plan - rds-instance-deletion-protection-enabled diff --git a/managed_rules_locals.tf b/managed_rules_locals.tf index 44fdda2..a71dc58 100644 --- a/managed_rules_locals.tf +++ b/managed_rules_locals.tf @@ -38,6 +38,14 @@ locals { severity = "Low" } + active-mq-supported-version = { + description = "Checks if an Amazon MQ ActiveMQ broker is running on a specified minimum supported engine version. The rule is NON_COMPLIANT if the ActiveMQ broker is not running on the minimum supported engine version that you specify." + identifier = "ACTIVE_MQ_SUPPORTED_VERSION" + input_parameters = var.active_mq_supported_version_parameters + resource_types_scope = ["AWS::AmazonMQ::Broker"] + severity = "Medium" + } + alb-desync-mode-check = { description = "Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode. The rule is NON_COMPLIANT if ALB desync mitigation mode does not match with the user defined desync mitigation mode." identifier = "ALB_DESYNC_MODE_CHECK" @@ -129,6 +137,94 @@ locals { severity = "Low" } + appconfig-application-tagged = { + description = "Checks if AWS AppConfig applications have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPCONFIG_APPLICATION_TAGGED" + input_parameters = var.appconfig_application_tagged_parameters + resource_types_scope = ["AWS::AppConfig::Application"] + severity = "Medium" + } + + appconfig-configuration-profile-tagged = { + description = "Checks if AWS AppConfig configuration profiles have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPCONFIG_CONFIGURATION_PROFILE_TAGGED" + input_parameters = var.appconfig_configuration_profile_tagged_parameters + resource_types_scope = ["AWS::AppConfig::ConfigurationProfile"] + severity = "Medium" + } + + appconfig-environment-tagged = { + description = "Checks if AWS AppConfig environments have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPCONFIG_ENVIRONMENT_TAGGED" + input_parameters = var.appconfig_environment_tagged_parameters + resource_types_scope = ["AWS::AppConfig::Environment"] + severity = "Medium" + } + + appconfig-extension-association-tagged = { + description = "Checks if AWS AppConfig extension associations have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPCONFIG_EXTENSION_ASSOCIATION_TAGGED" + input_parameters = var.appconfig_extension_association_tagged_parameters + resource_types_scope = ["AWS::AppConfig::ExtensionAssociation"] + severity = "Medium" + } + + appmesh-gateway-route-tagged = { + description = "Checks if AWS App Mesh gateway routes have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_GATEWAY_ROUTE_TAGGED" + input_parameters = var.appmesh_gateway_route_tagged_parameters + resource_types_scope = ["AWS::AppMesh::GatewayRoute"] + severity = "Medium" + } + + appmesh-mesh-tagged = { + description = "Checks if AWS App Mesh meshes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_MESH_TAGGED" + input_parameters = var.appmesh_mesh_tagged_parameters + resource_types_scope = ["AWS::AppMesh::Mesh"] + severity = "Medium" + } + + appmesh-route-tagged = { + description = "Checks if AWS App Mesh routes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_ROUTE_TAGGED" + input_parameters = var.appmesh_route_tagged_parameters + resource_types_scope = ["AWS::AppMesh::Route"] + severity = "Medium" + } + + appmesh-virtual-gateway-tagged = { + description = "Checks if AWS App Mesh virtual gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_VIRTUAL_GATEWAY_TAGGED" + input_parameters = var.appmesh_virtual_gateway_tagged_parameters + resource_types_scope = ["AWS::AppMesh::VirtualGateway"] + severity = "Medium" + } + + appmesh-virtual-node-tagged = { + description = "Checks if AWS App Mesh virtual nodes have tags. Optionally, you can specify tag keys for the rule to check. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_VIRTUAL_NODE_TAGGED" + input_parameters = var.appmesh_virtual_node_tagged_parameters + resource_types_scope = ["AWS::AppMesh::VirtualNode"] + severity = "Medium" + } + + appmesh-virtual-router-tagged = { + description = "Checks if AWS App Mesh virtual routers have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_VIRTUAL_ROUTER_TAGGED" + input_parameters = var.appmesh_virtual_router_tagged_parameters + resource_types_scope = ["AWS::AppMesh::VirtualRouter"] + severity = "Medium" + } + + appmesh-virtual-service-tagged = { + description = "Checks if AWS App Mesh virtual services have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "APPMESH_VIRTUAL_SERVICE_TAGGED" + input_parameters = var.appmesh_virtual_service_tagged_parameters + resource_types_scope = ["AWS::AppMesh::VirtualService"] + severity = "Medium" + } + approved-amis-by-id = { description = "Checks if running EC2 instances are using specified Amazon Machine Images (AMIs). Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are NON_COMPLIANT." identifier = "APPROVED_AMIS_BY_ID" @@ -161,6 +257,20 @@ locals { severity = "High" } + appsync-cache-ct-encryption-at-rest = { + description = "Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON_COMPLIANT if AtRestEncryptionEnabled is false." + identifier = "APPSYNC_CACHE_CT_ENCRYPTION_AT_REST" + resource_types_scope = ["AWS::AppSync::ApiCache"] + severity = "Medium" + } + + appsync-cache-ct-encryption-in-transit = { + description = "Checks if an AWS AppSync API cache has encryption in transit enabled. The rule is NON_COMPLIANT if TransitEncryptionEnabled is false." + identifier = "APPSYNC_CACHE_CT_ENCRYPTION_IN_TRANSIT" + resource_types_scope = ["AWS::AppSync::ApiCache"] + severity = "Medium" + } + appsync-cache-encryption-at-rest = { description = "Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON_COMPLIANT if AtRestEncryptionEnabled is false." identifier = "APPSYNC_CACHE_ENCRYPTION_AT_REST" @@ -169,7 +279,7 @@ locals { } appsync-logging-enabled = { - description = "Checks if an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or fieldLogLevel is neither ERROR nor ALL." + description = "Checks if an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or if the field logging levels for the AWS AppSync API do not match the values specified in the fieldLoggingLevel rule parameter." identifier = "APPSYNC_LOGGING_ENABLED" input_parameters = var.appsync_logging_enabled_parameters resource_types_scope = ["AWS::AppSync::GraphQLApi"] @@ -281,7 +391,7 @@ locals { } autoscaling-multiple-instance-types = { - description = "Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. This rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined." + description = "Checks if an Amazon EC2 Auto Scaling group uses multiple instance types. The rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined. This rule does not evaluate attribute-based instance types." identifier = "AUTOSCALING_MULTIPLE_INSTANCE_TYPES" resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"] severity = "Medium" @@ -657,8 +767,9 @@ locals { } cognito-user-pool-advanced-security-enabled = { - description = "Checks if an Amazon Cognito user pool has Advanced security enabled. This rule is NON_COMPLIANT if Advanced security is not enabled." + description = "Checks if an Amazon Cognito user pool has advanced security enabled. The rule is NON_COMPLIANT if advanced security is not enabled. Optionally, you can specify an advanced security mode for the rule to check." identifier = "COGNITO_USER_POOL_ADVANCED_SECURITY_ENABLED" + input_parameters = var.cognito_user_pool_advanced_security_enabled_parameters resource_types_scope = ["AWS::Cognito::UserPool"] severity = "Medium" } @@ -1023,6 +1134,13 @@ locals { severity = "Medium" } + ec2-launch-template-imdsv2-check = { + description = "Checks if the currently set default version of an Amazon EC2 Launch Template requires new launched instances to use V2 of the Amazon EC2 Instance Metadata Service (IMDSv2). The rule is NON_COMPLIANT if Metadata version is not specified as V2 (IMDSv2)." + identifier = "EC2_LAUNCH_TEMPLATE_IMDSV2_CHECK" + resource_types_scope = ["AWS::EC2::LaunchTemplate"] + severity = "Low" + } + ec2-launch-template-public-ip-disabled = { description = "Checks if Amazon EC2 Launch Templates are set to assign public IP addresses to Network Interfaces. The rule is NON_COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with AssociatePublicIpAddress set to true ." identifier = "EC2_LAUNCH_TEMPLATE_PUBLIC_IP_DISABLED" @@ -1160,6 +1278,13 @@ locals { severity = "Low" } + ec2-vpn-connection-logging-enabled = { + description = "Checks if AWS Site-to-Site VPN connections have Amazon CloudWatch logging enabled for both tunnels. The rule is NON_COMPLIANT if a Site-to-Site VPN connection does not have CloudWatch logging enabled for either or both tunnels." + identifier = "EC2_VPN_CONNECTION_LOGGING_ENABLED" + resource_types_scope = ["AWS::EC2::VPNConnection"] + severity = "Medium" + } + ecr-private-image-scanning-enabled = { description = "Checks if a private Amazon Elastic Container Registry (Amazon ECR) repository has image scanning enabled.The rule is NON_COMPLIANT if the private Amazon ECR repository's scan frequency is not on scan on push or continuous scan.For more information on..." identifier = "ECR_PRIVATE_IMAGE_SCANNING_ENABLED" @@ -1292,6 +1417,14 @@ locals { severity = "Medium" } + efs-filesystem-ct-encrypted = { + description = "Checks if Amazon Elastic File System (Amazon EFS) encrypts data with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if a file system is not encrypted. Optionally, you can check if a file system is not encrypted with specified KMS keys." + identifier = "EFS_FILESYSTEM_CT_ENCRYPTED" + input_parameters = var.efs_filesystem_ct_encrypted_parameters + resource_types_scope = ["AWS::EFS::FileSystem"] + severity = "Medium" + } + efs-in-backup-plan = { description = "Checks if Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans." identifier = "EFS_IN_BACKUP_PLAN" @@ -1609,6 +1742,30 @@ locals { severity = "Medium" } + evidently-launch-tagged = { + description = "Checks if Amazon CloudWatch Evidently launches have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "EVIDENTLY_LAUNCH_TAGGED" + input_parameters = var.evidently_launch_tagged_parameters + resource_types_scope = ["AWS::Evidently::Launch"] + severity = "Medium" + } + + evidently-project-tagged = { + description = "Checks if Amazon CloudWatch Evidently projects have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "EVIDENTLY_PROJECT_TAGGED" + input_parameters = var.evidently_project_tagged_parameters + resource_types_scope = ["AWS::Evidently::Project"] + severity = "Medium" + } + + evidently-segment-tagged = { + description = "Checks if Amazon CloudWatch Evidently segments have tags. Optionally, you can specify tag keys. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "EVIDENTLY_SEGMENT_TAGGED" + input_parameters = var.evidently_segment_tagged_parameters + resource_types_scope = ["AWS::Evidently::Segment"] + severity = "Medium" + } + fms-shield-resource-policy-check = { description = "Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. It also checks if they have web ACL associated for Application Load Balancer and Amazon CloudFront distributions." identifier = "FMS_SHIELD_RESOURCE_POLICY_CHECK" @@ -1633,6 +1790,38 @@ locals { severity = "Medium" } + frauddetector-entity-type-tagged = { + description = "Checks if Amazon Fraud Detector entity types have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "FRAUDDETECTOR_ENTITY_TYPE_TAGGED" + input_parameters = var.frauddetector_entity_type_tagged_parameters + resource_types_scope = ["AWS::FraudDetector::EntityType"] + severity = "Medium" + } + + frauddetector-label-tagged = { + description = "Checks if Amazon Fraud Detector labels have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "FRAUDDETECTOR_LABEL_TAGGED" + input_parameters = var.frauddetector_label_tagged_parameters + resource_types_scope = ["AWS::FraudDetector::Label"] + severity = "Medium" + } + + frauddetector-outcome-tagged = { + description = "Checks if Amazon Fraud Detector outcomes have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "FRAUDDETECTOR_OUTCOME_TAGGED" + input_parameters = var.frauddetector_outcome_tagged_parameters + resource_types_scope = ["AWS::FraudDetector::Outcome"] + severity = "Medium" + } + + frauddetector-variable-tagged = { + description = "Checks if Amazon Fraud Detector variables have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "FRAUDDETECTOR_VARIABLE_TAGGED" + input_parameters = var.frauddetector_variable_tagged_parameters + resource_types_scope = ["AWS::FraudDetector::Variable"] + severity = "Medium" + } + fsx-last-backup-recovery-point-created = { description = "Checks if a recovery point was created for Amazon FSx File Systems. The rule is NON_COMPLIANT if the Amazon FSx File System does not have a corresponding recovery point created within the specified time period." identifier = "FSX_LAST_BACKUP_RECOVERY_POINT_CREATED" @@ -1710,7 +1899,7 @@ locals { description = "Checks if Amazon EKS Runtime Monitoring with automated agent management is enabled for GuardDuty detector in your account. The rule is NON_COMPLIANT if EKS Runtime Monitoring with automated agent management in GuardDuty is not enabled for your account." identifier = "GUARDDUTY_EKS_PROTECTION_RUNTIME_ENABLED" resource_types_scope = ["AWS::GuardDuty::Detector"] - severity = "Low" + severity = "Medium" } guardduty-enabled-centralized = { @@ -1933,6 +2122,46 @@ locals { severity = "High" } + iotsitewise-asset-model-tagged = { + description = "Checks if AWS IoT SiteWise asset models have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "IOTSITEWISE_ASSET_MODEL_TAGGED" + input_parameters = var.iotsitewise_asset_model_tagged_parameters + resource_types_scope = ["AWS::IoTSiteWise::AssetModel"] + severity = "Medium" + } + + iotsitewise-dashboard-tagged = { + description = "Checks if AWS IoT SiteWise dashboards have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "IOTSITEWISE_DASHBOARD_TAGGED" + input_parameters = var.iotsitewise_dashboard_tagged_parameters + resource_types_scope = ["AWS::IoTSiteWise::Dashboard"] + severity = "Medium" + } + + iotsitewise-gateway-tagged = { + description = "Checks if AWS IoT SiteWise gateways have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "IOTSITEWISE_GATEWAY_TAGGED" + input_parameters = var.iotsitewise_gateway_tagged_parameters + resource_types_scope = ["AWS::IoTSiteWise::Gateway"] + severity = "Medium" + } + + iotsitewise-portal-tagged = { + description = "Checks if AWS IoT SiteWise portals have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "IOTSITEWISE_PORTAL_TAGGED" + input_parameters = var.iotsitewise_portal_tagged_parameters + resource_types_scope = ["AWS::IoTSiteWise::Portal"] + severity = "Medium" + } + + iotsitewise-project-tagged = { + description = "Checks if AWS IoT SiteWise projects have tags. Optionally, you can specify tag keys for the rule. The rule is NON_COMPLIANT if there are no tags or if the specified tag keys are not present. The rule does not check for tags starting with aws: ." + identifier = "IOTSITEWISE_PROJECT_TAGGED" + input_parameters = var.iotsitewise_project_tagged_parameters + resource_types_scope = ["AWS::IoTSiteWise::Project"] + severity = "Medium" + } + kinesis-firehose-delivery-stream-encrypted = { description = "Checks if Amazon Kinesis Data Firehose delivery streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT if a Kinesis Data Firehose delivery stream is not encrypted at rest with server-side encryption." identifier = "KINESIS_FIREHOSE_DELIVERY_STREAM_ENCRYPTED" @@ -1964,6 +2193,13 @@ locals { severity = "Medium" } + kms-key-policy-no-public-access = { + description = "Checks if the AWS KMS key policy allows public access. The rule is NON_COMPLIANT if the KMS key policy allows public access to the KMS key." + identifier = "KMS_KEY_POLICY_NO_PUBLIC_ACCESS" + resource_types_scope = ["AWS::KMS::Key"] + severity = "Critical" + } + lambda-concurrency-check = { description = "Checks if the Lambda function is configured with a function-level concurrent execution limit. The rule is NON_COMPLIANT if the Lambda function is not configured with a function-level concurrent execution limit." identifier = "LAMBDA_CONCURRENCY_CHECK" @@ -2305,7 +2541,7 @@ locals { description = "Checks if Amazon OpenSearch Service domains are configured with at least three dedicated primary nodes. The rule is NON_COMPLIANT for an OpenSearch Service domain if DedicatedMasterEnabled is set to false , or DedicatedMasterCount is less than 3." identifier = "OPENSEARCH_PRIMARY_NODE_FAULT_TOLERANCE" resource_types_scope = ["AWS::OpenSearch::Domain"] - severity = "Medium" + severity = "Low" } opensearch-update-check = { @@ -2315,6 +2551,14 @@ locals { severity = "Low" } + rabbit-mq-supported-version = { + description = "Checks if an Amazon MQ RabbitMQ broker is running on a specified minimum supported engine version. The rule is NON_COMPLIANT if the RabbitMQ broker is not running on the minimum supported engine version that you specify." + identifier = "RABBIT_MQ_SUPPORTED_VERSION" + input_parameters = var.rabbit_mq_supported_version_parameters + resource_types_scope = ["AWS::AmazonMQ::Broker"] + severity = "Medium" + } + rds-aurora-mysql-audit-logging-enabled = { description = "Checks if Amazon Aurora MySQL-Compatible Edition clusters are configured to publish audit logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if Aurora MySQL-Compatible Edition clusters do not have audit log publishing configured." identifier = "RDS_AURORA_MYSQL_AUDIT_LOGGING_ENABLED" @@ -2462,6 +2706,13 @@ locals { severity = "Medium" } + rds-mysql-instance-encrypted-in-transit = { + description = "Checks if connections to Amazon RDS for MySQL database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated database parameter group is not in-sync or if the require_secure_transport parameter is not set to 1." + identifier = "RDS_MYSQL_INSTANCE_ENCRYPTED_IN_TRANSIT" + resource_types_scope = ["AWS::RDS::DBInstance"] + severity = "Medium" + } + rds-postgresql-logs-to-cloudwatch = { description = "Checks if an Amazon PostgreSQL DB instance is configured to publish logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the DB instance is not configured to publish logs to Amazon CloudWatch Logs." identifier = "RDS_POSTGRESQL_LOGS_TO_CLOUDWATCH" @@ -2470,6 +2721,13 @@ locals { severity = "Medium" } + rds-postgres-instance-encrypted-in-transit = { + description = "Checks if connections to Amazon RDS PostgreSQL database instances are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated database parameter group is not in-sync or if the rds.force_ssl parameter is not set to 1." + identifier = "RDS_POSTGRES_INSTANCE_ENCRYPTED_IN_TRANSIT" + resource_types_scope = ["AWS::RDS::DBInstance"] + severity = "Medium" + } + rds-resources-protected-by-backup-plan = { description = "Checks if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon RDS Database instance is not covered by a backup plan." identifier = "RDS_RESOURCES_PROTECTED_BY_BACKUP_PLAN" @@ -2492,6 +2750,14 @@ locals { severity = "Medium" } + rds-sql-server-logs-to-cloudwatch = { + description = "Checks if an Amazon SQL Server DB instance is configured to publish logs to Amazon CloudWatch Logs. This rule is NON_COMPLIANT if the DB instance is not configured to publish logs to Amazon CloudWatch Logs." + identifier = "RDS_SQL_SERVER_LOGS_TO_CLOUDWATCH" + input_parameters = var.rds_sql_server_logs_to_cloudwatch_parameters + resource_types_scope = ["AWS::RDS::DBInstance"] + severity = "Medium" + } + rds-storage-encrypted = { description = "Checks if storage encryption is enabled for your Amazon Relational Database Service (Amazon RDS) DB instances. The rule is NON_COMPLIANT if storage encryption is not enabled." identifier = "RDS_STORAGE_ENCRYPTED" @@ -2547,6 +2813,13 @@ locals { severity = "Critical" } + redshift-cluster-subnet-group-multi-az = { + description = "Checks If Amazon Redshift subnet groups contain subnets from more than one Availability Zone. The rule is NON_COMPLIANT if an Amazon Redshift subnet group does not contain subnets from at least two different Availability Zones." + identifier = "REDSHIFT_CLUSTER_SUBNET_GROUP_MULTI_AZ" + resource_types_scope = ["AWS::Redshift::ClusterSubnetGroup"] + severity = "Medium" + } + redshift-default-admin-check = { description = "Checks if an Amazon Redshift cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username for a Redshift cluster is set to “awsuser” or if the username does not match what is listed in parameter." identifier = "REDSHIFT_DEFAULT_ADMIN_CHECK" @@ -2816,7 +3089,7 @@ locals { identifier = "S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN" input_parameters = var.s3_resources_protected_by_backup_plan_parameters resource_types_scope = ["AWS::S3::Bucket"] - severity = "High" + severity = "Medium" } s3-version-lifecycle-policy-check = { @@ -2973,6 +3246,13 @@ locals { severity = "Medium" } + sns-topic-no-public-access = { + description = "Checks if the SNS topic access policy allows public access. The rule is NON_COMPLIANT if the SNS topic access policy allows public access." + identifier = "SNS_TOPIC_NO_PUBLIC_ACCESS" + resource_types_scope = ["AWS::SNS::Topic"] + severity = "High" + } + ssm-document-not-public = { description = "Checks if AWS Systems Manager documents owned by the account are public. The rule is NON_COMPLIANT if Systems Manager documents with the owner Self are public." identifier = "SSM_DOCUMENT_NOT_PUBLIC" @@ -3057,6 +3337,14 @@ locals { severity = "High" } + vpc-endpoint-enabled = { + description = "Checks if each service specified in the parameter has an Amazon VPC endpoint. The rule is NON_COMPLIANT if Amazon VPC does not have a VPC endpoint created for each specified service. Optionally, you can specify certain VPCs for the rule to check." + identifier = "VPC_ENDPOINT_ENABLED" + input_parameters = var.vpc_endpoint_enabled_parameters + resource_types_scope = ["AWS::EC2::VPC"] + severity = "Medium" + } + vpc-flow-logs-enabled = { description = "Checks if Amazon Virtual Private Cloud (Amazon VPC) flow logs are found and enabled for all Amazon VPCs. The rule is NON_COMPLIANT if flow logs are not enabled for at least one Amazon VPC." identifier = "VPC_FLOW_LOGS_ENABLED" diff --git a/managed_rules_variables.tf b/managed_rules_variables.tf index 8f94d19..4506b3a 100644 --- a/managed_rules_variables.tf +++ b/managed_rules_variables.tf @@ -36,6 +36,14 @@ variable "acm_pca_root_ca_disabled_parameters" { default = {} } +variable "active_mq_supported_version_parameters" { + description = "Input parameters for the active-mq-supported-version rule." + type = object({ + supportedEngineVersion = optional(string, null) + }) + default = {} +} + variable "alb_desync_mode_check_parameters" { description = "Input parameters for the alb-desync-mode-check rule." type = object({ @@ -95,6 +103,94 @@ variable "api_gw_ssl_enabled_parameters" { default = {} } +variable "appconfig_application_tagged_parameters" { + description = "Input parameters for the appconfig-application-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appconfig_configuration_profile_tagged_parameters" { + description = "Input parameters for the appconfig-configuration-profile-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appconfig_environment_tagged_parameters" { + description = "Input parameters for the appconfig-environment-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appconfig_extension_association_tagged_parameters" { + description = "Input parameters for the appconfig-extension-association-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_gateway_route_tagged_parameters" { + description = "Input parameters for the appmesh-gateway-route-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_mesh_tagged_parameters" { + description = "Input parameters for the appmesh-mesh-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_route_tagged_parameters" { + description = "Input parameters for the appmesh-route-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_virtual_gateway_tagged_parameters" { + description = "Input parameters for the appmesh-virtual-gateway-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_virtual_node_tagged_parameters" { + description = "Input parameters for the appmesh-virtual-node-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_virtual_router_tagged_parameters" { + description = "Input parameters for the appmesh-virtual-router-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "appmesh_virtual_service_tagged_parameters" { + description = "Input parameters for the appmesh-virtual-service-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + variable "approved_amis_by_id_parameters" { description = "Input parameters for the approved-amis-by-id rule." type = object({ @@ -430,6 +526,14 @@ variable "codepipeline_region_fanout_check_parameters" { } +variable "cognito_user_pool_advanced_security_enabled_parameters" { + description = "Input parameters for the cognito-user-pool-advanced-security-enabled rule." + type = object({ + SecurityMode = optional(string, null) + }) + default = {} +} + variable "cw_loggroup_retention_period_check_parameters" { description = "Input parameters for the cw-loggroup-retention-period-check rule." type = object({ @@ -812,6 +916,14 @@ variable "efs_encrypted_check_parameters" { default = {} } +variable "efs_filesystem_ct_encrypted_parameters" { + description = "Input parameters for the efs-filesystem-ct-encrypted rule." + type = object({ + kmsKeyArns = optional(string, null) + }) + default = {} +} + variable "efs_last_backup_recovery_point_created_parameters" { description = "Input parameters for the efs-last-backup-recovery-point-created rule." type = object({ @@ -1027,6 +1139,30 @@ variable "encrypted_volumes_parameters" { default = {} } +variable "evidently_launch_tagged_parameters" { + description = "Input parameters for the evidently-launch-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "evidently_project_tagged_parameters" { + description = "Input parameters for the evidently-project-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "evidently_segment_tagged_parameters" { + description = "Input parameters for the evidently-segment-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + variable "fms_shield_resource_policy_check_parameters" { description = "Input parameters for the fms-shield-resource-policy-check rule." type = object({ @@ -1062,6 +1198,38 @@ variable "fms_webacl_rulegroup_association_check_parameters" { default = {} } +variable "frauddetector_entity_type_tagged_parameters" { + description = "Input parameters for the frauddetector-entity-type-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "frauddetector_label_tagged_parameters" { + description = "Input parameters for the frauddetector-label-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "frauddetector_outcome_tagged_parameters" { + description = "Input parameters for the frauddetector-outcome-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "frauddetector_variable_tagged_parameters" { + description = "Input parameters for the frauddetector-variable-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + variable "fsx_last_backup_recovery_point_created_parameters" { description = "Input parameters for the fsx-last-backup-recovery-point-created rule." type = object({ @@ -1245,6 +1413,46 @@ variable "internet_gateway_authorized_vpc_only_parameters" { default = {} } +variable "iotsitewise_asset_model_tagged_parameters" { + description = "Input parameters for the iotsitewise-asset-model-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "iotsitewise_dashboard_tagged_parameters" { + description = "Input parameters for the iotsitewise-dashboard-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "iotsitewise_gateway_tagged_parameters" { + description = "Input parameters for the iotsitewise-gateway-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "iotsitewise_portal_tagged_parameters" { + description = "Input parameters for the iotsitewise-portal-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + +variable "iotsitewise_project_tagged_parameters" { + description = "Input parameters for the iotsitewise-project-tagged rule." + type = object({ + requiredKeyTags = optional(string, null) + }) + default = {} +} + variable "kinesis_firehose_delivery_stream_encrypted_parameters" { description = "Input parameters for the kinesis-firehose-delivery-stream-encrypted rule." type = object({ @@ -1409,6 +1617,14 @@ variable "opensearch_logs_to_cloudwatch_parameters" { default = {} } +variable "rabbit_mq_supported_version_parameters" { + description = "Input parameters for the rabbit-mq-supported-version rule." + type = object({ + supportedEngineVersion = optional(string, null) + }) + default = {} +} + variable "rds_cluster_default_admin_check_parameters" { description = "Input parameters for the rds-cluster-default-admin-check rule." type = object({ @@ -1496,6 +1712,14 @@ variable "rds_resources_protected_by_backup_plan_parameters" { default = {} } +variable "rds_sql_server_logs_to_cloudwatch_parameters" { + description = "Input parameters for the rds-sql-server-logs-to-cloudwatch rule." + type = object({ + logTypes = optional(string, null) + }) + default = {} +} + variable "rds_storage_encrypted_parameters" { description = "Input parameters for the rds-storage-encrypted rule." type = object({ @@ -1982,6 +2206,15 @@ variable "virtualmachine_resources_protected_by_backup_plan_parameters" { default = {} } +variable "vpc_endpoint_enabled_parameters" { + description = "Input parameters for the vpc-endpoint-enabled rule." + type = object({ + serviceNames = optional(string, null) + vpcIds = optional(string, null) + }) + default = {} +} + variable "vpc_flow_logs_enabled_parameters" { description = "Input parameters for the vpc-flow-logs-enabled rule." type = object({