Skip to main content

Managed Security Review for AWS

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page explains managed security reviews for AWS provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.

To use managed security reviews

By applying Shisho Cloud workflows to your organization, you'll see security review results soon:

All managed review items

TitleRelated StandardsDefault SeverityID in Shisho Cloud
Ensure Application Load Balancer deletion protection is enabledELB.6 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_alb_delete_protection
Ensure Application Load Balancers mitigate HTTP desync attacksELB.12 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_alb_desync_mitigation
Ensure Application Load Balancers drop invalid HTTP headersELB.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling
Ensure Application Load Balancers have an active logging bucketELB.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_alb_logging
Ensure CloudFront distributions have a default root objectCloudFront.1 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object
Ensure CloudFront distributions have an active logging bucketCloudFront.5 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_logging
Ensure CloudFront distributions with S3 backends use origin access control enabledCloudFront.13 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control
Ensure that connections to CloudFront distribution origins are forced to use HTTPSCloudFront.9 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport
Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocolsCloudFront.10 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version
Ensure that connections to CloudFront distributions are forced to use HTTPSCloudFront.3 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_cloudfront_transport
Ensure EBS volume encryption is enabled in all regions2.2.1 (CIS AWS v1.5.0), EC2.7 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline
Ensure root filesystem operation by ECS containers is limited to read-only accessECS.5 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission
Ensure ECS containers run as non-privilegedECS.4 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ecs_container_privilege
Ensure public IP addresses are not assigned to ECS services automaticallyECS.2 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_ecs_service_public_ip
Ensure EFS file systems are encrypted2.4.1 (CIS AWS v1.5.0)Mediumdecision.api.shisho.dev/v1beta:aws_efs_volume_encryption
Ensure IAM policies that allow full administrative privileges are not attached1.16 (CIS AWS v1.5.0), IAM.1 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation
Ensure credentials unused for specific days are disabled1.12 (CIS AWS v1.5.0), IAM.22 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_iam_credentials_inventory
Ensure AWS IAM access keys are rotated per pre-defined time window1.14 (CIS AWS v1.5.0), IAM.3 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_iam_key_rotation
Ensure IAM password policy requires enough minimum length1.8 (CIS AWS v1.5.0), IAM.15 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_iam_password_length
Ensure IAM password policy prevents password reuse1.9 (CIS AWS v1.5.0), IAM.16 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_iam_password_reuse
Ensure Hardware MFA is enabled for the root user account1.6 (CIS AWS v1.5.0), IAM.6 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa
Ensure the AWS root user does not have access keys1.4 (CIS AWS v1.5.0), IAM.4 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_iam_root_user_key
Ensure MFA is enabled for the root user account1.5 (CIS AWS v1.5.0), IAM.9 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_mfa
Ensure the AWS root user is used only for limited usage1.7 (CIS AWS v1.5.0)Criticaldecision.api.shisho.dev/v1beta:aws_iam_root_user_usage
Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports5.1 (CIS AWS v1.5.0), EC2.21 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_networking_acl_ingress
Block all traffic by the default security group to avoid using it5.4 (CIS AWS v1.5.0)Infodecision.api.shisho.dev/v1beta:aws_networking_sg_baseline
Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports5.1 (CIS AWS v1.5.0), EC2.14 (AWS FSBP)Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4
Ensure no security groups allow ingress from ::/0 to remote server administration ports5.3 (CIS AWS v1.5.0)Highdecision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6
Ensure that public access is not given to RDS instances2.3.3 (CIS AWS v1.5.0), RDS.2 (AWS FSBP)Criticaldecision.api.shisho.dev/v1beta:aws_rds_instance_accessibility
Ensure auto minor version upgrade feature is enabled for RDS instances2.3.2 (CIS AWS v1.5.0), RDS.13 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade
Ensure encryption is enabled for RDS instances2.3.1 (CIS AWS v1.5.0), RDS.3 (AWS FSBP)Mediumdecision.api.shisho.dev/v1beta:aws_rds_instance_encryption
Ensure access logging is enabled for important S3 buckets3.6 (CIS AWS v1.5.0), S3.9 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging
Ensure all S3 buckets are encrypted2.1.1 (CIS AWS v1.5.0), S3.4 (AWS FSBP)Lowdecision.api.shisho.dev/v1beta:aws_s3_bucket_encryption
Ensure MFA Delete is enabled on S3 buckets2.1.3 (CIS AWS v1.5.0)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete
Ensure S3 buckets enabled block public access featureS3.8 (AWS FSBP), 2.1.5 (CIS AWS v1.5.0)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block
Ensure S3 buckets deny HTTP requests2.1.2 (CIS AWS v1.5.0)Mediumdecision.api.shisho.dev/v1beta:aws_s3_bucket_transport