Skip to main content

Managed Security Review for AWS

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for AWS provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure that ACM certificates should be renewed before expiryACM.1 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_acm_certificate_expiry
Ensure that ACM RSA certificates use allowed key algorithmsACM.2 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_acm_certificate_key_algorithm
Ensure Application Load Balancer deletion protection is enabledELB.6 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_alb_delete_protection
Ensure Application Load Balancers mitigate HTTP desync attacksELB.12 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_alb_desync_mitigation
Ensure Application Load Balancers redirect all HTTP requests to HTTPSELB.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_alb_https_redirection
Ensure Application Load Balancers drop invalid HTTP headersELB.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling
Ensure Application Load Balancers have an active logging bucketELB.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_alb_logging
Ensure that access logging should be configured for API Gateway V2 StagesAPIGateway.9 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_apigateway_access_logging
Ensure that API Gateway REST API cache data is encrypted at restAPIGateway.5 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_apigateway_cache_encryption
Ensure that logging for API Gateway REST and WebSocket API is enabledAPIGateway.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_apigateway_logging
Ensure that API Gateway routes or backends have proper authenticationAPIGateway.8 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_apigateway_route_auth
Ensure that access to API Gateway backends use client certificatesAPIGateway.2 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_apigateway_ssl_certificates
Ensure that API Gateway is associated with a WAF Web ACLAPIGateway.4 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_apigateway_waf_web_acl
Ensure that AWS X-Ray tracing for API Gateway is enabledAPIGateway.3 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_apigateway_xray_tracing
Ensure that Auto Scaling groups cover multiple Availability ZonesAutoScaling.2 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_autoscaling_group_availability_zones
Ensure that Auto Scaling groups use multiple instance types in multiple Availability ZonesAutoScaling.6 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_autoscaling_group_instance_types
Ensure that Auto Scaling groups use EC2 launch templatesAutoScaling.9 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_autoscaling_group_launch_template
Ensure that Auto Scaling groups associated with a Classic Load Balancer use load balancer health checksAutoScaling.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_autoscaling_group_lb_health_check
Ensure that Auto Scaling groups require IMDSv2AutoScaling.3 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_imdsv2
Ensure that EC2 instances do not have Public IP addressesAutoScaling.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_public_ip
Ensure that Auto Scaling group launch configuration do not have a metadata response hop limit greater than 1AutoScaling.4 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_response_hop_limit
Ensure that events on CloudFormation stacks are integrated with a SNS topicCloudFormation.1 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_cloudformation_stack_sns
Ensure that CloudFront distributions use custom SSL/TLS certificatesCloudFront.7 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_default_certificate
Ensure CloudFront distributions have a default root objectCloudFront.1 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object
Ensure CloudFront distributions have an active logging bucketCloudFront.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_logging
Ensure CloudFront distributions with S3 backends use origin access control enabledCloudFront.13 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control
Ensure that CloudFront distributions should have origin failover configuredCloudFront.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_failover
Ensure that CloudFront distributions point to existent S3 originsCloudFront.12 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_s3_bucket_existence
Ensure that connections to CloudFront distribution origins are forced to use HTTPSCloudFront.9 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport
Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocolsCloudFront.10 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version
Ensure that CloudFront distributions use SNI to serve HTTPS requestsCloudFront.8 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_cloudfront_sni
Ensure that connections to CloudFront distributions are forced to use HTTPSCloudFront.3 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_transport
Ensure that CloudFront distributions have WAF enabledCloudFront.6 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_cloudfront_waf
Ensure CloudTrail trails are integrated with CloudWatch LogsCloudTrail.5 (AWS FSBP), 3.4 (CIS AWS v1.5.0)Infodecision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration
Ensure CloudTrail logs are encrypted at rest using KMS CMKsCloudTrail.2 (AWS FSBP), 3.7 (CIS AWS v1.5.0), 3.5 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption
Ensure the S3 bucket for CloudTrail logs is not publicly accessible3.3 (CIS AWS v1.5.0)Lowdecision.api.shisho.dev/v1beta:aws_cloudtrail_log_bucket_accessibility
Ensure CloudTrail log file validation is enabledPCI.CloudTrail.4 (AWS FSBP), 3.2 (CIS AWS v1.5.0), 3.2 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation
Ensure CloudTrail is enabled in all regionsCloudTrail.1 (AWS FSBP), 3.1 (CIS AWS v1.5.0), 3.1 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_cloudtrail_usage
Ensure that CodeBuild project environments do not have privileged mode enabledCodeBuild.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_codebuild_project_env_privileged_mode
Ensure that CodeBuild project environment variables do not contain clear text AWS credentialsCodeBuild.2 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_codebuild_project_env_variables
Ensure that CodeBuild project environments have a logging AWS ConfigurationCodeBuild.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_codebuild_project_logging_status
Ensure that CodeBuild projects are configured to encrypt S3 logsCodeBuild.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_codebuild_project_s3_logs_encryption
Ensure that CodeBuild Bitbucket source repository URLs do not include credentialsCodeBuild.1 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_codebuild_project_source_repository_credential
Ensure AWS Config is enabled in all regionsConfig.1 (AWS FSBP), 3.5 (CIS AWS v1.5.0), 3.3 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_config_recorder_status
Ensure that DynamoDB Accelerator clusters should be encrypted at restDynamoDB.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_dax_cluster_encryption
Ensure that DynamoDB tables have point-in-time recovery enabledDynamoDB.2 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_dynamodb_table_point_in_time_recovery
Ensure that DynamoDB tables use auto scalingDynamoDB.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_dynamodb_table_scale_capacity
Ensure that Amazon EBS snapshots are not publicly restorableEC2.1 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_ebs_snapshot_publicly_restorable
Ensure that attached Amazon EBS volumes are encrypted at-restEC2.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ebs_volume_encryption
Ensure EBS volume encryption is enabled in all regionsEC2.7 (AWS FSBP), 2.2.1 (CIS AWS v1.5.0), 2.2.1 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline
Ensure that EC2 instances use Instance Metadata Service Version 2 (IMDSv2)EC2.8 (AWS FSBP), 5.6 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_ec2_instance_imdsv2
Ensure that EC2 instances do not use multiple ENIsEC2.17 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_ec2_instance_network_interface
Ensure that EC2 instances do not have a public IPv4 addressEC2.9 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_ec2_instance_public_ip_address
Ensure that stopped EC2 instances are removedEC2.4 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_ec2_instance_state
Ensure that EC2 paravirtual instance types are not usedEC2.24 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_ec2_instance_virtualization
Ensure that EC2 is configured to use VPC endpoints to connect EC2 APIEC2.10 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_ec2_instance_vpc_endpoint
Ensure that EC2 launch templates do not assign public IPs to network interfacesEC2.25 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_ec2_launch_template_public_ip_address
Ensure that ECR private repositories have image scanning configuredECR.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ecr_repository_image_scan_config
Ensure that ECR repositories have at least one lifecycle policy configuredECR.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ecr_repository_lifecycle_policy_config
Ensure that ECR private repositories have tag immutability configuredECR.2 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_ecr_repository_tag_immutability
Ensure that ECS clusters use Container InsightsECS.12 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_ecs_cluster_container_insights
Ensure that secrets do not be passed as container environment variablesECS.8 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_ecs_container_environment_variables
Ensure root filesystem operation by ECS containers is limited to read-only accessECS.5 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission
Ensure ECS containers run as non-privilegedECS.4 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ecs_container_privilege
Ensure public IP addresses are not assigned to ECS services automaticallyECS.2 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ecs_service_public_ip
Ensure that ECS Fargate services run on proper Fargate platform versionsECS.10 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ecs_task_fargate_version
Ensure that ECS task definitions have secure networking modesECS.1 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ecs_task_networking_mode
Ensure that ECS task definitions do not share the host's process namespaceECS.3 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ecs_task_process_namespace
Ensure that EFS access points have a root directory except for /EFS.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_efs_access_point_root_directory
Ensure that EFS access points enforce a user identityEFS.4 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_efs_access_point_user_identity
Ensure that Amazon EFS volumes are in backup plansEFS.2 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_efs_volume_backup_plan
Ensure EFS file systems are encryptedEFS.1 (AWS FSBP), 2.4.1 (CIS AWS v1.5.0), 2.4.1 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_efs_volume_encryption
Ensure that audit logging for EKS clusters is enabledEKS.8 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_eks_audit_logging
Ensure that access to EKS cluster endpoints is restrictedEKS.1 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_eks_public_access
Ensure that AWS Load Balancers span multiple Availability ZonesELB.13 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_elb_availability_zones
Ensure that GuardDuty is enabledGuardDuty.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_guardduty_status
Ensure that IAM Access analyzer is enabled for all regions1.20 (CIS AWS v1.5.0), 1.20 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_iam_access_analyzers
Ensure that security contact information is registered to AWS accountsAccount.1 (AWS FSBP), 1.2 (CIS AWS v1.5.0), 1.2 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact
Ensure IAM policies that allow full administrative privileges are not attachedIAM.1 (AWS FSBP), 1.16 (CIS AWS v1.5.0), 1.16 (CIS AWS v3.0.0)Criticaldecision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation
Ensure access keys during initial user setup for all IAM users with a console password1.11 (CIS AWS v1.5.0), 1.11 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_iam_console_user_keys
Ensure credentials unused for specific days are disabledIAM.8 (AWS FSBP), 1.12 (CIS AWS v1.5.0), 1.12 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_iam_credentials_inventory
Ensure AWS IAM access keys are rotated per pre-defined time windowIAM.3 (AWS FSBP), 1.14 (CIS AWS v1.5.0), 1.14 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_iam_key_rotation
Ensure IAM password policy requires enough minimum length1.8 (CIS AWS v1.5.0), 1.8 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_iam_password_length
Ensure IAM password policy prevents password reuse1.9 (CIS AWS v1.5.0), 1.9 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_iam_password_reuse
Ensure that IAM policies that you create do not use wildcard actionsIAM.21 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_iam_policy_service_limitation
Ensure a support role has been created to manage incidents with AWS Support1.17 (CIS AWS v1.5.0), 1.17 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_iam_role_for_support
Ensure Hardware MFA is enabled for the root user accountIAM.6 (AWS FSBP), 1.6 (CIS AWS v1.5.0), 1.6 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa
Ensure the AWS root user does not have access keysIAM.4 (AWS FSBP), 1.4 (CIS AWS v1.5.0), 1.4 (CIS AWS v3.0.0)Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_key
Ensure MFA is enabled for the root user account1.5 (CIS AWS v1.5.0), 1.5 (CIS AWS v3.0.0)Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_mfa
Ensure the AWS root user is used only for limited usage1.7 (CIS AWS v1.5.0), 1.7 (CIS AWS v3.0.0)Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_usage
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed1.19 (CIS AWS v1.5.0), 1.19 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_iam_server_certificates
Ensure there is only one active access key available for any single IAM user1.13 (CIS AWS v1.5.0), 1.13 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys
Ensure IAM users receive permissions only through groupsIAM.2 (AWS FSBP), 1.15 (CIS AWS v1.5.0), 1.15 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordIAM.5 (AWS FSBP), 1.10 (CIS AWS v1.5.0), 1.10 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_iam_user_mfa
Ensure that Kinesis streams should be encrypted at restKinesis.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_kinesis_stream_encryption
Ensure that AWS KMS keys are not deleted unintentionallyKMS.3 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_kms_key_deletion
Ensure that IAM customer managed policies do not allow decryption actions on all KMS keysKMS.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_kms_key_iam_policies
Ensure rotation for customer created symmetric CMKs is enabled3.8 (CIS AWS v1.5.0), 3.6 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation
Ensure that Lambda functions are publicly accessible only if they are allowedLambda.1 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_lambda_public_access
Ensure that Lambda functions use newer runtimesLambda.2 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_lambda_runtime
Ensure that VPC Lambda functions operate in more than one Availability ZoneLambda.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_lambda_vpc_availability_zone
Ensure a log metric filter and alarm exist for S3 bucket policy changes4.8 (CIS AWS v1.5.0), 4.8 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes4.5 (CIS AWS v1.5.0), 4.5 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs4.7 (CIS AWS v1.5.0), 4.7 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes4.9 (CIS AWS v1.5.0), 4.9 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_config_changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures4.6 (CIS AWS v1.5.0), 4.6 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure
Ensure a log metric filter and alarm exist for usage of the root user4.3 (CIS AWS v1.5.0), 4.3 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA4.2 (CIS AWS v1.5.0), 4.2 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa
Ensure a log metric filter and alarm exist for IAM policy changes4.4 (CIS AWS v1.5.0), 4.4 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)4.11 (CIS AWS v1.5.0), 4.11 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes
Ensure a log metric filter and alarm exist for changes to network gateways4.12 (CIS AWS v1.5.0), 4.12 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes
Ensure a log metric filter and alarm exist for AWS Organizations changes4.15 (CIS AWS v1.5.0), 4.15 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes
Ensure a log metric filter and alarm exist for route table changes4.13 (CIS AWS v1.5.0), 4.13 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes
Ensure a log metric filter and alarm exist for security group changes4.10 (CIS AWS v1.5.0), 4.10 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes
Ensure a log metric filter and alarm exist for unauthorized API calls4.1 (CIS AWS v1.5.0), 4.1 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls
Ensure a log metric filter and alarm exist for VPC changes4.14 (CIS AWS v1.5.0), 4.14 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes
Ensure that unused Network Access Control Lists are removedEC2.16 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_networking_acl_assosiations
Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration portsEC2.21 (AWS FSBP), 5.1 (CIS AWS v1.5.0), 5.1 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_networking_acl_ingress
Ensure that the VPC default security group does not allow inbound and outbound trafficEC2.2 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_networking_default_sg_restriction
Ensure that the default stateless action for Network Firewall policies is drop or forward for full packetsNetworkFirewall.4 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_networking_fp_stateless_action
Ensure that the default stateless action for Network Firewall policies is drop or forward for fragmented packetsNetworkFirewall.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_networking_fp_stateless_fragment_action
Ensure that Stateless Network Firewall rule group is not emptyNetworkFirewall.6 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_networking_frg_rules
Ensure the default security group restricts all traffic5.4 (CIS AWS v1.5.0), 5.4 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_networking_sg_baseline
Ensure that security groups only allow unrestricted incoming traffic for authorized portsEC2.18 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_rules
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports5.2 (CIS AWS v1.5.0), 5.2 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4
Ensure no security groups allow ingress from ::/0 to remote server administration ports5.3 (CIS AWS v1.5.0), 5.3 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6
Ensure that EC2 subnets does not automatically assign public IP addressesEC2.15 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_networking_subnet_public_ip
Ensure that Transit Gateways do not automatically accept VPC attachment requestsEC2.23 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_networking_transit_gateway_auto_vpc_attachment
Ensure AWS VPC flow logging is enabledEC2.6 (AWS FSBP), 3.9 (CIS AWS v1.5.0), 3.7 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging
Ensure that Both VPN tunnels for an AWS Site-to-Site VPN connection are upEC2.20 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_networking_vpn_tunnels_state
Ensure that RDS clusters use a custom administrator usernameRDS.24 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_rds_cluster_administrator_username
Ensure that RDS DB clusters are configured with multiple Availability ZonesRDS.15 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_rds_cluster_availability_zone
Ensure that Amazon Aurora clusters have backtracking enabledRDS.14 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_rds_cluster_backtracking
Ensure that RDS DB clusters should be configured to copy tags to snapshotsRDS.16 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_rds_cluster_copy_tags_to_snapshots
Ensure that RDS clusters have deletion protection enabledRDS.7 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_rds_cluster_deletion_protection
Ensure that IAM authentication is configured for RDS clustersRDS.12 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_cluster_iam_authentication
Ensure that RDS instances and clusters do not use a database engine default portRDS.23 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_default_port_usage
Ensure that public access is not given to RDS instancesRDS.2 (AWS FSBP), 2.3.3 (CIS AWS v1.5.0), 2.3.3 (CIS AWS v3.0.0)Highdecision.api.shisho.dev/v1beta:aws_rds_instance_accessibility
Ensure that RDS Database instances use a custom administrator usernameRDS.25 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_administrator_username
Ensure auto minor version upgrade feature is enabled for RDS instancesRDS.13 (AWS FSBP), 2.3.2 (CIS AWS v1.5.0), 2.3.2 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade
Ensure that RDS instances have automatic backups enabledRDS.11 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_instance_automatic_backup
Ensure that RDS DB instances are configured with multiple Availability ZonesRDS.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_availability_zone
Ensure that RDS DB instances should be configured to copy tags to snapshotsRDS.17 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_rds_instance_copy_tags_to_snapshots
Ensure that RDS DB instances have deletion protection enabledRDS.8 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_rds_instance_deletion_protection
Ensure encryption is enabled for RDS instancesRDS.3 (AWS FSBP), 2.3.1 (CIS AWS v1.5.0), 2.3.1 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_encryption
Ensure that enhanced monitoring is configured for RDS DB instancesRDS.6 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_rds_instance_enhanced_monitoring
Ensure that IAM authentication is configured for RDS instancesRDS.10 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_instance_iam_authentication
Ensure that Database logging is enabledRDS.9 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_logging
Ensure that RDS instances are deployed in a VPCRDS.18 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_vpc
Ensure that RDS snapshot is privateRDS.1 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_rds_snapshot_accessibility
Ensure that RDS cluster snapshots and database snapshots should be encrypted at restRDS.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_snapshot_encryption
Ensure that an RDS event notifications subscription is configured for critical database parameter group eventsRDS.21 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_subscription_parameter_group_event
Ensure that an RDS event notifications subscription is configured for critical database security group eventsRDS.22 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_subscription_security_group_event
Ensure that S3 Block Public Access setting is enabledS3.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_s3_account_public_access_block
Ensure access logging is enabled for important S3 bucketsS3.9 (AWS FSBP), 3.6 (CIS AWS v1.5.0), 3.4 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging
Ensure that S3 permissions granted to other AWS accounts in bucket policies are restrictedS3.6 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_account_permission
Ensure that S3 access control lists (ACLs) are not usedS3.12 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_acl
Ensure that S3 buckets have cross-region replication enabledS3.7 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_cross_region_replication
Ensure all S3 buckets are encryptedS3.4 (AWS FSBP), 2.1.1 (CIS AWS v1.5.0)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_encryption
Ensure that S3 buckets have event notifications enabledS3.11 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_s3_bucket_event_notifications
Ensure that S3 buckets are encrypted at rest with AWS KMS keysS3.17 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_kms_encryption
Ensure that S3 buckets have lifecycle policies configuredS3.13 (AWS FSBP)Infodecision.api.shisho.dev/v1beta:aws_s3_bucket_lifecycle_policy
Ensure MFA Delete is enabled on S3 buckets2.1.3 (CIS AWS v1.5.0), 2.1.3 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete
Ensure that S3 buckets are configured to use Object LockS3.15 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_object_lock
Ensure S3 buckets enabled block public access featureS3.8 (AWS FSBP), 2.1.5 (CIS AWS v1.5.0), 2.1.4 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block
Ensure S3 buckets prohibit public read accessS3.2 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_s3_bucket_public_read_access
Ensure S3 buckets prohibit public write accessS3.3 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_s3_bucket_public_write_access
Ensure CloudTrail trails are logging S3 bucket read events3.11 (CIS AWS v1.5.0), 3.9 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail
Ensure S3 buckets deny HTTP requests2.1.2 (CIS AWS v1.5.0), 2.1.1 (CIS AWS v3.0.0)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_transport
Ensure that S3 buckets should use versioningS3.14 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_versioning
Ensure that S3 buckets with versioning enabled have lifecycle policies configuredS3.10 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_versioning_lifecycle_policy
Ensure CloudTrail trails are logging S3 bucket data write events3.10 (CIS AWS v1.5.0), 3.8 (CIS AWS v3.0.0)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail
Ensure that Secrets Manager secrets have automatic rotation enabledSecretsManager.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation
Ensure that Secrets Manager secrets configured with automatic rotation rotate successfullySecretsManager.2 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation_state
Ensure that Secrets Manager secrets are rotated within a specified number of daysSecretsManager.4 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_secretsmanager_rotation_interval
Ensure that unused Secrets Manager secrets are removedSecretsManager.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_secretsmanager_secret_usage
Ensure AWS Security Hub is enabled4.16 (CIS AWS v1.5.0), 4.16 (CIS AWS v3.0.0)Infodecision.api.shisho.dev/v1beta:aws_securityhub_usage
Ensure that SNS topics are encryptedSNS.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_sns_kms_encryption
Ensure that Amazon SQS queues are encryptedSQS.1 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_sqs_encryption
Ensure that EC2 instances managed by Systems Manager have an association compliance status of COMPLIANTSSM.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ssm_association_compliance
Ensure that SSM documents are not publicSSM.4 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_ssm_document_accessibility
Ensure that EC2 instances are managed by AWS Systems ManagerSSM.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_ssm_managed_instances
Ensure that EC2 instances managed by Systems Manager have a patch compliance status of COMPLIANT after a patch installationSSM.2 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ssm_patch_compliance
Ensure that a WAF Classic rule has at least one conditionWAF.2 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_waf_classic_rule_condition
Ensure that a WAF Classic rule group has at least one ruleWAF.3 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_waf_classic_rule_group_attached_rules
Ensure that AWS WAF Classic Global Web ACL logging is enabledWAF.1 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_logging
Ensure that a WAF Classic Web ACL has at least one rule or rule groupWAF.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_rules
Ensure that AWS WAFv2 web ACL logging is activatedWAF.11 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_waf_web_acl_logging
Ensure that a WAFv2 web ACL has at least one rule or rule groupWAF.10 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_waf_web_acl_rules