Managed Security Review for AWS
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews for AWS provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
- Workflows for CIS AWS Foundations Benchmark v1.5.0
- Workflows for AWS Foundational Security Best Practices (FSBP)
All managed review items
Title | Related Standards | Default Severity | ID in Shisho Cloud |
---|---|---|---|
Ensure that ACM certificates should be renewed before expiry | ACM.1 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_acm_certificate_expiry |
Ensure that ACM RSA certificates use allowed key algorithms | ACM.2 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_acm_certificate_key_algorithm |
Ensure Application Load Balancer deletion protection is enabled | ELB.6 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_alb_delete_protection |
Ensure Application Load Balancers mitigate HTTP desync attacks | ELB.12 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_alb_desync_mitigation |
Ensure Application Load Balancers redirect all HTTP requests to HTTPS | ELB.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_alb_https_redirection |
Ensure Application Load Balancers drop invalid HTTP headers | ELB.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling |
Ensure Application Load Balancers have an active logging bucket | ELB.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_alb_logging |
Ensure that access logging should be configured for API Gateway V2 Stages | APIGateway.9 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_apigateway_access_logging |
Ensure that API Gateway REST API cache data is encrypted at rest | APIGateway.5 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_apigateway_cache_encryption |
Ensure that logging for API Gateway REST and WebSocket API is enabled | APIGateway.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_apigateway_logging |
Ensure that API Gateway routes or backends have proper authentication | APIGateway.8 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_apigateway_route_auth |
Ensure that access to API Gateway backends use client certificates | APIGateway.2 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_apigateway_ssl_certificates |
Ensure that API Gateway is associated with a WAF Web ACL | APIGateway.4 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_apigateway_waf_web_acl |
Ensure that AWS X-Ray tracing for API Gateway is enabled | APIGateway.3 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_apigateway_xray_tracing |
Ensure that Auto Scaling groups cover multiple Availability Zones | AutoScaling.2 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_autoscaling_group_availability_zones |
Ensure that Auto Scaling groups use multiple instance types in multiple Availability Zones | AutoScaling.6 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_autoscaling_group_instance_types |
Ensure that Auto Scaling groups use EC2 launch templates | AutoScaling.9 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_autoscaling_group_launch_template |
Ensure that Auto Scaling groups associated with a Classic Load Balancer use load balancer health checks | AutoScaling.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_autoscaling_group_lb_health_check |
Ensure that Auto Scaling groups require IMDSv2 | AutoScaling.3 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_imdsv2 |
Ensure that EC2 instances do not have Public IP addresses | AutoScaling.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_public_ip |
Ensure that Auto Scaling group launch configuration do not have a metadata response hop limit greater than 1 | AutoScaling.4 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_response_hop_limit |
Ensure that events on CloudFormation stacks are integrated with a SNS topic | CloudFormation.1 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_cloudformation_stack_sns |
Ensure that CloudFront distributions use custom SSL/TLS certificates | CloudFront.7 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_default_certificate |
Ensure CloudFront distributions have a default root object | CloudFront.1 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object |
Ensure CloudFront distributions have an active logging bucket | CloudFront.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_logging |
Ensure CloudFront distributions with S3 backends use origin access control enabled | CloudFront.13 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control |
Ensure that CloudFront distributions should have origin failover configured | CloudFront.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_failover |
Ensure that CloudFront distributions point to existent S3 origins | CloudFront.12 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_s3_bucket_existence |
Ensure that connections to CloudFront distribution origins are forced to use HTTPS | CloudFront.9 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport |
Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocols | CloudFront.10 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version |
Ensure that CloudFront distributions use SNI to serve HTTPS requests | CloudFront.8 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_cloudfront_sni |
Ensure that connections to CloudFront distributions are forced to use HTTPS | CloudFront.3 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_transport |
Ensure that CloudFront distributions have WAF enabled | CloudFront.6 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_cloudfront_waf |
Ensure CloudTrail trails are integrated with CloudWatch Logs | CloudTrail.5 (AWS FSBP), 3.4 (CIS AWS v1.5.0) | Info | decision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs | CloudTrail.2 (AWS FSBP), 3.7 (CIS AWS v1.5.0), 3.5 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption |
Ensure the S3 bucket for CloudTrail logs is not publicly accessible | 3.3 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_bucket_accessibility |
Ensure CloudTrail log file validation is enabled | PCI.CloudTrail.4 (AWS FSBP), 3.2 (CIS AWS v1.5.0), 3.2 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation |
Ensure CloudTrail is enabled in all regions | CloudTrail.1 (AWS FSBP), 3.1 (CIS AWS v1.5.0), 3.1 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_cloudtrail_usage |
Ensure that CodeBuild project environments do not have privileged mode enabled | CodeBuild.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_codebuild_project_env_privileged_mode |
Ensure that CodeBuild project environment variables do not contain clear text AWS credentials | CodeBuild.2 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_codebuild_project_env_variables |
Ensure that CodeBuild project environments have a logging AWS Configuration | CodeBuild.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_codebuild_project_logging_status |
Ensure that CodeBuild projects are configured to encrypt S3 logs | CodeBuild.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_codebuild_project_s3_logs_encryption |
Ensure that CodeBuild Bitbucket source repository URLs do not include credentials | CodeBuild.1 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_codebuild_project_source_repository_credential |
Ensure AWS Config is enabled in all regions | Config.1 (AWS FSBP), 3.5 (CIS AWS v1.5.0), 3.3 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_config_recorder_status |
Ensure that DynamoDB Accelerator clusters should be encrypted at rest | DynamoDB.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_dax_cluster_encryption |
Ensure that DynamoDB tables have point-in-time recovery enabled | DynamoDB.2 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_dynamodb_table_point_in_time_recovery |
Ensure that DynamoDB tables use auto scaling | DynamoDB.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_dynamodb_table_scale_capacity |
Ensure that Amazon EBS snapshots are not publicly restorable | EC2.1 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_ebs_snapshot_publicly_restorable |
Ensure that attached Amazon EBS volumes are encrypted at-rest | EC2.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption |
Ensure EBS volume encryption is enabled in all regions | EC2.7 (AWS FSBP), 2.2.1 (CIS AWS v1.5.0), 2.2.1 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline |
Ensure that EC2 instances use Instance Metadata Service Version 2 (IMDSv2) | EC2.8 (AWS FSBP), 5.6 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_ec2_instance_imdsv2 |
Ensure that EC2 instances do not use multiple ENIs | EC2.17 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_network_interface |
Ensure that EC2 instances do not have a public IPv4 address | EC2.9 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_ec2_instance_public_ip_address |
Ensure that stopped EC2 instances are removed | EC2.4 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_state |
Ensure that EC2 paravirtual instance types are not used | EC2.24 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_virtualization |
Ensure that EC2 is configured to use VPC endpoints to connect EC2 API | EC2.10 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_vpc_endpoint |
Ensure that EC2 launch templates do not assign public IPs to network interfaces | EC2.25 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_ec2_launch_template_public_ip_address |
Ensure that ECR private repositories have image scanning configured | ECR.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ecr_repository_image_scan_config |
Ensure that ECR repositories have at least one lifecycle policy configured | ECR.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ecr_repository_lifecycle_policy_config |
Ensure that ECR private repositories have tag immutability configured | ECR.2 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_ecr_repository_tag_immutability |
Ensure that ECS clusters use Container Insights | ECS.12 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_ecs_cluster_container_insights |
Ensure that secrets do not be passed as container environment variables | ECS.8 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_ecs_container_environment_variables |
Ensure root filesystem operation by ECS containers is limited to read-only access | ECS.5 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission |
Ensure ECS containers run as non-privileged | ECS.4 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ecs_container_privilege |
Ensure public IP addresses are not assigned to ECS services automatically | ECS.2 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ecs_service_public_ip |
Ensure that ECS Fargate services run on proper Fargate platform versions | ECS.10 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ecs_task_fargate_version |
Ensure that ECS task definitions have secure networking modes | ECS.1 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ecs_task_networking_mode |
Ensure that ECS task definitions do not share the host's process namespace | ECS.3 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ecs_task_process_namespace |
Ensure that EFS access points have a root directory except for / | EFS.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_efs_access_point_root_directory |
Ensure that EFS access points enforce a user identity | EFS.4 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_efs_access_point_user_identity |
Ensure that Amazon EFS volumes are in backup plans | EFS.2 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_efs_volume_backup_plan |
Ensure EFS file systems are encrypted | EFS.1 (AWS FSBP), 2.4.1 (CIS AWS v1.5.0), 2.4.1 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_efs_volume_encryption |
Ensure that audit logging for EKS clusters is enabled | EKS.8 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_eks_audit_logging |
Ensure that access to EKS cluster endpoints is restricted | EKS.1 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_eks_public_access |
Ensure that AWS Load Balancers span multiple Availability Zones | ELB.13 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_elb_availability_zones |
Ensure that GuardDuty is enabled | GuardDuty.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_guardduty_status |
Ensure that IAM Access analyzer is enabled for all regions | 1.20 (CIS AWS v1.5.0), 1.20 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_iam_access_analyzers |
Ensure that security contact information is registered to AWS accounts | Account.1 (AWS FSBP), 1.2 (CIS AWS v1.5.0), 1.2 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact |
Ensure IAM policies that allow full administrative privileges are not attached | IAM.1 (AWS FSBP), 1.16 (CIS AWS v1.5.0), 1.16 (CIS AWS v3.0.0) | Critical | decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation |
Ensure access keys during initial user setup for all IAM users with a console password | 1.11 (CIS AWS v1.5.0), 1.11 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_iam_console_user_keys |
Ensure credentials unused for specific days are disabled | IAM.8 (AWS FSBP), 1.12 (CIS AWS v1.5.0), 1.12 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory |
Ensure AWS IAM access keys are rotated per pre-defined time window | IAM.3 (AWS FSBP), 1.14 (CIS AWS v1.5.0), 1.14 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_iam_key_rotation |
Ensure IAM password policy requires enough minimum length | 1.8 (CIS AWS v1.5.0), 1.8 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_iam_password_length |
Ensure IAM password policy prevents password reuse | 1.9 (CIS AWS v1.5.0), 1.9 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_iam_password_reuse |
Ensure that IAM policies that you create do not use wildcard actions | IAM.21 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_iam_policy_service_limitation |
Ensure a support role has been created to manage incidents with AWS Support | 1.17 (CIS AWS v1.5.0), 1.17 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_iam_role_for_support |
Ensure Hardware MFA is enabled for the root user account | IAM.6 (AWS FSBP), 1.6 (CIS AWS v1.5.0), 1.6 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa |
Ensure the AWS root user does not have access keys | IAM.4 (AWS FSBP), 1.4 (CIS AWS v1.5.0), 1.4 (CIS AWS v3.0.0) | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_key |
Ensure MFA is enabled for the root user account | 1.5 (CIS AWS v1.5.0), 1.5 (CIS AWS v3.0.0) | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa |
Ensure the AWS root user is used only for limited usage | 1.7 (CIS AWS v1.5.0), 1.7 (CIS AWS v3.0.0) | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_usage |
Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | 1.19 (CIS AWS v1.5.0), 1.19 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_iam_server_certificates |
Ensure there is only one active access key available for any single IAM user | 1.13 (CIS AWS v1.5.0), 1.13 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys |
Ensure IAM users receive permissions only through groups | IAM.2 (AWS FSBP), 1.15 (CIS AWS v1.5.0), 1.15 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment |
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IAM.5 (AWS FSBP), 1.10 (CIS AWS v1.5.0), 1.10 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_iam_user_mfa |
Ensure that Kinesis streams should be encrypted at rest | Kinesis.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_kinesis_stream_encryption |
Ensure that AWS KMS keys are not deleted unintentionally | KMS.3 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_kms_key_deletion |
Ensure that IAM customer managed policies do not allow decryption actions on all KMS keys | KMS.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_kms_key_iam_policies |
Ensure rotation for customer created symmetric CMKs is enabled | 3.8 (CIS AWS v1.5.0), 3.6 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation |
Ensure that Lambda functions are publicly accessible only if they are allowed | Lambda.1 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_lambda_public_access |
Ensure that Lambda functions use newer runtimes | Lambda.2 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_lambda_runtime |
Ensure that VPC Lambda functions operate in more than one Availability Zone | Lambda.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_lambda_vpc_availability_zone |
Ensure a log metric filter and alarm exist for S3 bucket policy changes | 4.8 (CIS AWS v1.5.0), 4.8 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes |
Ensure a log metric filter and alarm exist for CloudTrail configuration changes | 4.5 (CIS AWS v1.5.0), 4.5 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes |
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | 4.7 (CIS AWS v1.5.0), 4.7 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes |
Ensure a log metric filter and alarm exist for AWS Config configuration changes | 4.9 (CIS AWS v1.5.0), 4.9 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_config_changes |
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | 4.6 (CIS AWS v1.5.0), 4.6 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure |
Ensure a log metric filter and alarm exist for usage of the root user | 4.3 (CIS AWS v1.5.0), 4.3 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage |
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | 4.2 (CIS AWS v1.5.0), 4.2 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa |
Ensure a log metric filter and alarm exist for IAM policy changes | 4.4 (CIS AWS v1.5.0), 4.4 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes |
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | 4.11 (CIS AWS v1.5.0), 4.11 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes |
Ensure a log metric filter and alarm exist for changes to network gateways | 4.12 (CIS AWS v1.5.0), 4.12 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes |
Ensure a log metric filter and alarm exist for AWS Organizations changes | 4.15 (CIS AWS v1.5.0), 4.15 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes |
Ensure a log metric filter and alarm exist for route table changes | 4.13 (CIS AWS v1.5.0), 4.13 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes |
Ensure a log metric filter and alarm exist for security group changes | 4.10 (CIS AWS v1.5.0), 4.10 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes |
Ensure a log metric filter and alarm exist for unauthorized API calls | 4.1 (CIS AWS v1.5.0), 4.1 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls |
Ensure a log metric filter and alarm exist for VPC changes | 4.14 (CIS AWS v1.5.0), 4.14 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes |
Ensure that unused Network Access Control Lists are removed | EC2.16 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_networking_acl_assosiations |
Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | EC2.21 (AWS FSBP), 5.1 (CIS AWS v1.5.0), 5.1 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_networking_acl_ingress |
Ensure that the VPC default security group does not allow inbound and outbound traffic | EC2.2 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_networking_default_sg_restriction |
Ensure that the default stateless action for Network Firewall policies is drop or forward for full packets | NetworkFirewall.4 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_networking_fp_stateless_action |
Ensure that the default stateless action for Network Firewall policies is drop or forward for fragmented packets | NetworkFirewall.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_networking_fp_stateless_fragment_action |
Ensure that Stateless Network Firewall rule group is not empty | NetworkFirewall.6 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_networking_frg_rules |
Ensure the default security group restricts all traffic | 5.4 (CIS AWS v1.5.0), 5.4 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_networking_sg_baseline |
Ensure that security groups only allow unrestricted incoming traffic for authorized ports | EC2.18 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_rules |
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | 5.2 (CIS AWS v1.5.0), 5.2 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4 |
Ensure no security groups allow ingress from ::/0 to remote server administration ports | 5.3 (CIS AWS v1.5.0), 5.3 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6 |
Ensure that EC2 subnets does not automatically assign public IP addresses | EC2.15 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_networking_subnet_public_ip |
Ensure that Transit Gateways do not automatically accept VPC attachment requests | EC2.23 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_networking_transit_gateway_auto_vpc_attachment |
Ensure AWS VPC flow logging is enabled | EC2.6 (AWS FSBP), 3.9 (CIS AWS v1.5.0), 3.7 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging |
Ensure that Both VPN tunnels for an AWS Site-to-Site VPN connection are up | EC2.20 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_networking_vpn_tunnels_state |
Ensure that RDS clusters use a custom administrator username | RDS.24 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_rds_cluster_administrator_username |
Ensure that RDS DB clusters are configured with multiple Availability Zones | RDS.15 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_rds_cluster_availability_zone |
Ensure that Amazon Aurora clusters have backtracking enabled | RDS.14 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_rds_cluster_backtracking |
Ensure that RDS DB clusters should be configured to copy tags to snapshots | RDS.16 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_rds_cluster_copy_tags_to_snapshots |
Ensure that RDS clusters have deletion protection enabled | RDS.7 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_rds_cluster_deletion_protection |
Ensure that IAM authentication is configured for RDS clusters | RDS.12 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_cluster_iam_authentication |
Ensure that RDS instances and clusters do not use a database engine default port | RDS.23 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_default_port_usage |
Ensure that public access is not given to RDS instances | RDS.2 (AWS FSBP), 2.3.3 (CIS AWS v1.5.0), 2.3.3 (CIS AWS v3.0.0) | High | decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility |
Ensure that RDS Database instances use a custom administrator username | RDS.25 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_administrator_username |
Ensure auto minor version upgrade feature is enabled for RDS instances | RDS.13 (AWS FSBP), 2.3.2 (CIS AWS v1.5.0), 2.3.2 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade |
Ensure that RDS instances have automatic backups enabled | RDS.11 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_automatic_backup |
Ensure that RDS DB instances are configured with multiple Availability Zones | RDS.5 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_availability_zone |
Ensure that RDS DB instances should be configured to copy tags to snapshots | RDS.17 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_rds_instance_copy_tags_to_snapshots |
Ensure that RDS DB instances have deletion protection enabled | RDS.8 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_rds_instance_deletion_protection |
Ensure encryption is enabled for RDS instances | RDS.3 (AWS FSBP), 2.3.1 (CIS AWS v1.5.0), 2.3.1 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_encryption |
Ensure that enhanced monitoring is configured for RDS DB instances | RDS.6 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_rds_instance_enhanced_monitoring |
Ensure that IAM authentication is configured for RDS instances | RDS.10 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_iam_authentication |
Ensure that Database logging is enabled | RDS.9 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_logging |
Ensure that RDS instances are deployed in a VPC | RDS.18 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_vpc |
Ensure that RDS snapshot is private | RDS.1 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_rds_snapshot_accessibility |
Ensure that RDS cluster snapshots and database snapshots should be encrypted at rest | RDS.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_snapshot_encryption |
Ensure that an RDS event notifications subscription is configured for critical database parameter group events | RDS.21 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_subscription_parameter_group_event |
Ensure that an RDS event notifications subscription is configured for critical database security group events | RDS.22 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_rds_subscription_security_group_event |
Ensure that S3 Block Public Access setting is enabled | S3.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_s3_account_public_access_block |
Ensure access logging is enabled for important S3 buckets | S3.9 (AWS FSBP), 3.6 (CIS AWS v1.5.0), 3.4 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging |
Ensure that S3 permissions granted to other AWS accounts in bucket policies are restricted | S3.6 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_account_permission |
Ensure that S3 access control lists (ACLs) are not used | S3.12 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_acl |
Ensure that S3 buckets have cross-region replication enabled | S3.7 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_cross_region_replication |
Ensure all S3 buckets are encrypted | S3.4 (AWS FSBP), 2.1.1 (CIS AWS v1.5.0) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption |
Ensure that S3 buckets have event notifications enabled | S3.11 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_s3_bucket_event_notifications |
Ensure that S3 buckets are encrypted at rest with AWS KMS keys | S3.17 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_kms_encryption |
Ensure that S3 buckets have lifecycle policies configured | S3.13 (AWS FSBP) | Info | decision.api.shisho.dev/v1beta:aws_s3_bucket_lifecycle_policy |
Ensure MFA Delete is enabled on S3 buckets | 2.1.3 (CIS AWS v1.5.0), 2.1.3 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete |
Ensure that S3 buckets are configured to use Object Lock | S3.15 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_object_lock |
Ensure S3 buckets enabled block public access feature | S3.8 (AWS FSBP), 2.1.5 (CIS AWS v1.5.0), 2.1.4 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block |
Ensure S3 buckets prohibit public read access | S3.2 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_read_access |
Ensure S3 buckets prohibit public write access | S3.3 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_write_access |
Ensure CloudTrail trails are logging S3 bucket read events | 3.11 (CIS AWS v1.5.0), 3.9 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail |
Ensure S3 buckets deny HTTP requests | 2.1.2 (CIS AWS v1.5.0), 2.1.1 (CIS AWS v3.0.0) | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_transport |
Ensure that S3 buckets should use versioning | S3.14 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_versioning |
Ensure that S3 buckets with versioning enabled have lifecycle policies configured | S3.10 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_versioning_lifecycle_policy |
Ensure CloudTrail trails are logging S3 bucket data write events | 3.10 (CIS AWS v1.5.0), 3.8 (CIS AWS v3.0.0) | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail |
Ensure that Secrets Manager secrets have automatic rotation enabled | SecretsManager.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation |
Ensure that Secrets Manager secrets configured with automatic rotation rotate successfully | SecretsManager.2 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation_state |
Ensure that Secrets Manager secrets are rotated within a specified number of days | SecretsManager.4 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_secretsmanager_rotation_interval |
Ensure that unused Secrets Manager secrets are removed | SecretsManager.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_secretsmanager_secret_usage |
Ensure AWS Security Hub is enabled | 4.16 (CIS AWS v1.5.0), 4.16 (CIS AWS v3.0.0) | Info | decision.api.shisho.dev/v1beta:aws_securityhub_usage |
Ensure that SNS topics are encrypted | SNS.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_sns_kms_encryption |
Ensure that Amazon SQS queues are encrypted | SQS.1 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_sqs_encryption |
Ensure that EC2 instances managed by Systems Manager have an association compliance status of COMPLIANT | SSM.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_ssm_association_compliance |
Ensure that SSM documents are not public | SSM.4 (AWS FSBP) | Critical | decision.api.shisho.dev/v1beta:aws_ssm_document_accessibility |
Ensure that EC2 instances are managed by AWS Systems Manager | SSM.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_ssm_managed_instances |
Ensure that EC2 instances managed by Systems Manager have a patch compliance status of COMPLIANT after a patch installation | SSM.2 (AWS FSBP) | High | decision.api.shisho.dev/v1beta:aws_ssm_patch_compliance |
Ensure that a WAF Classic rule has at least one condition | WAF.2 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_waf_classic_rule_condition |
Ensure that a WAF Classic rule group has at least one rule | WAF.3 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_waf_classic_rule_group_attached_rules |
Ensure that AWS WAF Classic Global Web ACL logging is enabled | WAF.1 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_logging |
Ensure that a WAF Classic Web ACL has at least one rule or rule group | WAF.4 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_rules |
Ensure that AWS WAFv2 web ACL logging is activated | WAF.11 (AWS FSBP) | Medium | decision.api.shisho.dev/v1beta:aws_waf_web_acl_logging |
Ensure that a WAFv2 web ACL has at least one rule or rule group | WAF.10 (AWS FSBP) | Low | decision.api.shisho.dev/v1beta:aws_waf_web_acl_rules |