# Managed Security Review for AWS This page explains _managed_ security reviews for AWS provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans. ## To use managed security reviews By applying Shisho Cloud workflows to your organization, you'll see security review results soon: - [Workflows for CIS AWS Foundations Benchmark v1.5.0](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/cis-benchmark/aws-v1.5.0) - [Workflows for AWS Foundational Security Best Practices (FSBP)](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/csp/aws-fsbp) - [More Workflows for AWS by Flatt Security](https://github.com/flatt-security/shisho-cloud-managed-workflows/tree/main/workflows/flatt/aws) ## All managed review items | Title | Related Standards | Default Severity | ID in Shisho Cloud | | --------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | ---------------- | ---------------------------------------------------------------------------------------- | | Ensure that ACM certificates should be renewed before expiry | ACM.1 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_acm_certificate_expiry` | | Ensure that ACM RSA certificates use allowed key algorithms | ACM.2 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_acm_certificate_key_algorithm` | | Ensure Application Load Balancer deletion protection is enabled | ELB.6 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_alb_delete_protection` | | Ensure Application Load Balancers mitigate HTTP desync attacks | ELB.12 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_alb_desync_mitigation` | | Ensure Application Load Balancers redirect all HTTP requests to HTTPS | ELB.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_alb_https_redirection` | | Ensure Application Load Balancers drop invalid HTTP headers | ELB.4 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling` | | Ensure Application Load Balancers have an active logging bucket | ELB.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_alb_logging` | | Ensure that the Web Application Avoids Public Exposure of AMIs | | Critical | `decision.api.shisho.dev/v1beta:aws_ami_public_access` | | Ensure that access logging should be configured for API Gateway V2 Stages | APIGateway.9 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_apigateway_access_logging` | | Ensure that API Gateway REST API cache data is encrypted at rest | APIGateway.5 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_apigateway_cache_encryption` | | Ensure that logging for API Gateway REST and WebSocket API is enabled | APIGateway.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_apigateway_logging` | | Ensure that API Gateway routes or backends have proper authentication | APIGateway.8 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_apigateway_route_auth` | | Ensure that access to API Gateway backends use client certificates | APIGateway.2 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_apigateway_ssl_certificates` | | Ensure that API Gateway is associated with a WAF Web ACL | APIGateway.4 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_apigateway_waf_web_acl` | | Ensure that AWS X-Ray tracing for API Gateway is enabled | APIGateway.3 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_apigateway_xray_tracing` | | Ensure that Auto Scaling groups cover multiple Availability Zones | AutoScaling.2 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_autoscaling_group_availability_zones` | | Ensure that Auto Scaling groups use multiple instance types in multiple Availability Zones | AutoScaling.6 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_autoscaling_group_instance_types` | | Ensure that Auto Scaling groups use EC2 launch templates | AutoScaling.9 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_autoscaling_group_launch_template` | | Ensure that Auto Scaling groups associated with a Classic Load Balancer use load balancer health checks | AutoScaling.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_autoscaling_group_lb_health_check` | | Ensure that Auto Scaling groups require IMDSv2 | AutoScaling.3 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_imdsv2` | | Ensure that EC2 instances do not have Public IP addresses | AutoScaling.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_public_ip` | | Ensure that Auto Scaling group launch configuration do not have a metadata response hop limit greater than 1 | AutoScaling.4 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_response_hop_limit` | | Ensure that events on CloudFormation stacks are integrated with a SNS topic | CloudFormation.1 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_cloudformation_stack_sns` | | Ensure that CloudFront distributions use custom SSL/TLS certificates | CloudFront.7 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudfront_default_certificate` | | Ensure CloudFront distributions have a default root object | CloudFront.1 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object` | | Ensure CloudFront distributions have an active logging bucket | CloudFront.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudfront_logging` | | Ensure CloudFront distributions with S3 backends use origin access control enabled | CloudFront.13 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control` | | Ensure that CloudFront distributions should have origin failover configured | CloudFront.4 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_cloudfront_origin_failover` | | Ensure that CloudFront distributions point to existent S3 origins | CloudFront.12 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_cloudfront_origin_s3_bucket_existence` | | Ensure that connections to CloudFront distribution origins are forced to use HTTPS | CloudFront.9 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport` | | Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocols | CloudFront.10 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version` | | Ensure that CloudFront distributions use SNI to serve HTTPS requests | CloudFront.8 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_cloudfront_sni` | | Ensure that the Web Application Enforces the Use of TLS Version during Connection to CloudFront | | High | `decision.api.shisho.dev/v1beta:aws_cloudfront_tls_version` | | Ensure that connections to CloudFront distributions are forced to use HTTPS | CloudFront.3 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudfront_transport` | | Ensure that CloudFront distributions have WAF enabled | CloudFront.6 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_cloudfront_waf` | | Ensure CloudTrail trails are integrated with CloudWatch Logs | CloudTrail.5 (AWS FSBP), 3.4 (CIS AWS v1.5.0) | Info | `decision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration` | | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | CloudTrail.2 (AWS FSBP), 3.7 (CIS AWS v1.5.0), 3.5 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption` | | Ensure the S3 bucket for CloudTrail logs is not publicly accessible | 3.3 (CIS AWS v1.5.0) | Low | `decision.api.shisho.dev/v1beta:aws_cloudtrail_log_bucket_accessibility` | | Ensure CloudTrail log file validation is enabled | PCI.CloudTrail.4 (AWS FSBP), 3.2 (CIS AWS v1.5.0), 3.2 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation` | | Ensure CloudTrail is enabled in all regions | CloudTrail.1 (AWS FSBP), 3.1 (CIS AWS v1.5.0), 3.1 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_cloudtrail_usage` | | Ensure that CodeBuild project environments do not have privileged mode enabled | CodeBuild.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_codebuild_project_env_privileged_mode` | | Ensure that CodeBuild project environment variables do not contain clear text AWS credentials | CodeBuild.2 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_codebuild_project_env_variables` | | Ensure that CodeBuild project environments have a logging AWS Configuration | CodeBuild.4 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_codebuild_project_logging_status` | | Ensure that CodeBuild projects are configured to encrypt S3 logs | CodeBuild.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_codebuild_project_s3_logs_encryption` | | Ensure that CodeBuild Bitbucket source repository URLs do not include credentials | CodeBuild.1 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_codebuild_project_source_repository_credential` | | Ensure That the Web Application Minimizes Role Assignment to Authenticated Users of Cognito Identity Pool | | High | `decision.api.shisho.dev/v1beta:aws_cognito_authenticated_role` | | Ensure That the Web Application Avoids Granting Roles to Unauthenticated Users in Cognito Identity Pool | | Critical | `decision.api.shisho.dev/v1beta:aws_cognito_unauthenticated_role` | | Ensure AWS Config is enabled in all regions | Config.1 (AWS FSBP), 3.5 (CIS AWS v1.5.0), 3.3 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_config_recorder_status` | | Ensure that DynamoDB Accelerator clusters should be encrypted at rest | DynamoDB.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_dax_cluster_encryption` | | Ensure that DynamoDB tables have point-in-time recovery enabled | DynamoDB.2 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_dynamodb_table_point_in_time_recovery` | | Ensure that DynamoDB tables use auto scaling | DynamoDB.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_dynamodb_table_scale_capacity` | | Ensure that Amazon EBS snapshots are not publicly restorable | EC2.1 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_ebs_snapshot_publicly_restorable` | | Ensure that attached Amazon EBS volumes are encrypted at-rest | EC2.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption` | | Ensure EBS volume encryption is enabled in all regions | EC2.7 (AWS FSBP), 2.2.1 (CIS AWS v1.5.0), 2.2.1 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline` | | Ensure that EC2 instances use Instance Metadata Service Version 2 (IMDSv2) | EC2.8 (AWS FSBP), 5.6 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_ec2_instance_imdsv2` | | Ensure that EC2 instances do not use multiple ENIs | EC2.17 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_ec2_instance_network_interface` | | Ensure that EC2 instances do not have a public IPv4 address | EC2.9 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_ec2_instance_public_ip_address` | | Ensure that stopped EC2 instances are removed | EC2.4 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_ec2_instance_state` | | Ensure that EC2 paravirtual instance types are not used | EC2.24 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_ec2_instance_virtualization` | | Ensure that EC2 is configured to use VPC endpoints to connect EC2 API | EC2.10 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_ec2_instance_vpc_endpoint` | | Ensure that EC2 launch templates do not assign public IPs to network interfaces | EC2.25 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_ec2_launch_template_public_ip_address` | | Ensure that ECR private repositories have image scanning configured | ECR.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_ecr_repository_image_scan_config` | | Ensure that ECR repositories have at least one lifecycle policy configured | ECR.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_ecr_repository_lifecycle_policy_config` | | Ensure that ECR private repositories have tag immutability configured | ECR.2 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_ecr_repository_tag_immutability` | | Ensure that ECS clusters use Container Insights | ECS.12 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_ecs_cluster_container_insights` | | Ensure that secrets do not be passed as container environment variables | ECS.8 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_ecs_container_environment_variables` | | Ensure root filesystem operation by ECS containers is limited to read-only access | ECS.5 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission` | | Ensure ECS containers run as non-privileged | ECS.4 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_ecs_container_privilege` | | Ensure public IP addresses are not assigned to ECS services automatically | ECS.2 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_ecs_service_public_ip` | | Ensure that ECS Fargate services run on proper Fargate platform versions | ECS.10 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_ecs_task_fargate_version` | | Ensure that ECS task definitions have secure networking modes | ECS.1 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_ecs_task_networking_mode` | | Ensure that ECS task definitions do not share the host's process namespace | ECS.3 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_ecs_task_process_namespace` | | Ensure that EFS access points have a root directory except for / | EFS.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_efs_access_point_root_directory` | | Ensure that EFS access points enforce a user identity | EFS.4 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_efs_access_point_user_identity` | | Ensure that Amazon EFS volumes are in backup plans | EFS.2 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_efs_volume_backup_plan` | | Ensure EFS file systems are encrypted | EFS.1 (AWS FSBP), 2.4.1 (CIS AWS v1.5.0), 2.4.1 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_efs_volume_encryption` | | Ensure that audit logging for EKS clusters is enabled | EKS.8 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_eks_audit_logging` | | Ensure that access to EKS cluster endpoints is restricted | EKS.1 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_eks_public_access` | | Ensure that AWS Load Balancers span multiple Availability Zones | ELB.13 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_elb_availability_zones` | | Ensure That the Web Application Enforces the Use of a Secure TLS Version When Connecting to ELB | | High | `decision.api.shisho.dev/v1beta:aws_elb_tls_version` | | Ensure that the Web Application Enforces the Use of HTTPS When Connecting to ELB | | High | `decision.api.shisho.dev/v1beta:aws_elb_transport` | | Ensure That the Web Application Controls Communication Between ALB and Backend Using Only Security Groups | | Medium | `decision.api.shisho.dev/v1beta:aws_elb_transport_sg` | | Ensure that GuardDuty is enabled | GuardDuty.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_guardduty_status` | | Ensure that IAM Access analyzer is enabled for all regions | 1.20 (CIS AWS v1.5.0), 1.20 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_iam_access_analyzers` | | Ensure that security contact information is registered to AWS accounts | Account.1 (AWS FSBP), 1.2 (CIS AWS v1.5.0), 1.2 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact` | | Ensure IAM policies that allow full administrative privileges are not attached | IAM.1 (AWS FSBP), 1.16 (CIS AWS v1.5.0), 1.16 (CIS AWS v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation` | | Ensure That the Web Application Minimizes the Trust Relationship of IAM Roles | | Low | `decision.api.shisho.dev/v1beta:aws_iam_assumerole_policy` | | Ensure access keys during initial user setup for all IAM users with a console password | 1.11 (CIS AWS v1.5.0), 1.11 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_iam_console_user_keys` | | Ensure credentials unused for specific days are disabled | IAM.8 (AWS FSBP), 1.12 (CIS AWS v1.5.0), 1.12 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory` | | Ensure AWS IAM access keys are rotated per pre-defined time window | IAM.3 (AWS FSBP), 1.14 (CIS AWS v1.5.0), 1.14 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_iam_key_rotation` | | Ensure IAM password policy requires enough minimum length | 1.8 (CIS AWS v1.5.0), 1.8 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_iam_password_length` | | Ensure IAM password policy prevents password reuse | 1.9 (CIS AWS v1.5.0), 1.9 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_iam_password_reuse` | | Ensure that IAM policies that you create do not use wildcard actions | IAM.21 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_iam_policy_service_limitation` | | Ensure a support role has been created to manage incidents with AWS Support | 1.17 (CIS AWS v1.5.0), 1.17 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_iam_role_for_support` | | Ensure Hardware MFA is enabled for the root user account | IAM.6 (AWS FSBP), 1.6 (CIS AWS v1.5.0), 1.6 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa` | | Ensure the AWS root user does not have access keys | IAM.4 (AWS FSBP), 1.4 (CIS AWS v1.5.0), 1.4 (CIS AWS v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:aws_iam_root_user_key` | | Ensure MFA is enabled for the root user account | 1.5 (CIS AWS v1.5.0), 1.5 (CIS AWS v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa` | | Ensure the AWS root user is used only for limited usage | 1.7 (CIS AWS v1.5.0), 1.7 (CIS AWS v3.0.0) | Critical | `decision.api.shisho.dev/v1beta:aws_iam_root_user_usage` | | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | 1.19 (CIS AWS v1.5.0), 1.19 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_iam_server_certificates` | | Ensure there is only one active access key available for any single IAM user | 1.13 (CIS AWS v1.5.0), 1.13 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_iam_user_available_access_keys` | | Ensure IAM users receive permissions only through groups | IAM.2 (AWS FSBP), 1.15 (CIS AWS v1.5.0), 1.15 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment` | | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IAM.5 (AWS FSBP), 1.10 (CIS AWS v1.5.0), 1.10 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_iam_user_mfa` | | Ensure that Kinesis streams should be encrypted at rest | Kinesis.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_kinesis_stream_encryption` | | Ensure that AWS KMS keys are not deleted unintentionally | KMS.3 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_kms_key_deletion` | | Ensure that IAM customer managed policies do not allow decryption actions on all KMS keys | KMS.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_kms_key_iam_policies` | | Ensure rotation for customer created symmetric CMKs is enabled | 3.8 (CIS AWS v1.5.0), 3.6 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_kms_symmetric_cmk_rotation` | | Ensure that Lambda functions are publicly accessible only if they are allowed | Lambda.1 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_lambda_public_access` | | Ensure that Lambda functions use newer runtimes | Lambda.2 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_lambda_runtime` | | Ensure that VPC Lambda functions operate in more than one Availability Zone | Lambda.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_lambda_vpc_availability_zone` | | Ensure a log metric filter and alarm exist for S3 bucket policy changes | 4.8 (CIS AWS v1.5.0), 4.8 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_bucket_policy_changes` | | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | 4.5 (CIS AWS v1.5.0), 4.5 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_cloudtrail_changes` | | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | 4.7 (CIS AWS v1.5.0), 4.7 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_cmk_changes` | | Ensure a log metric filter and alarm exist for AWS Config configuration changes | 4.9 (CIS AWS v1.5.0), 4.9 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_config_changes` | | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | 4.6 (CIS AWS v1.5.0), 4.6 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_console_auth_failure` | | Ensure a log metric filter and alarm exist for usage of the root user | 4.3 (CIS AWS v1.5.0), 4.3 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_console_root_user_usage` | | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | 4.2 (CIS AWS v1.5.0), 4.2 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_console_signin_mfa` | | Ensure a log metric filter and alarm exist for IAM policy changes | 4.4 (CIS AWS v1.5.0), 4.4 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_iam_policy_changes` | | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | 4.11 (CIS AWS v1.5.0), 4.11 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_nacl_changes` | | Ensure a log metric filter and alarm exist for changes to network gateways | 4.12 (CIS AWS v1.5.0), 4.12 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_network_gateway_changes` | | Ensure a log metric filter and alarm exist for AWS Organizations changes | 4.15 (CIS AWS v1.5.0), 4.15 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_organizations_changes` | | Ensure a log metric filter and alarm exist for route table changes | 4.13 (CIS AWS v1.5.0), 4.13 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_route_table_changes` | | Ensure a log metric filter and alarm exist for security group changes | 4.10 (CIS AWS v1.5.0), 4.10 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_security_group_changes` | | Ensure a log metric filter and alarm exist for unauthorized API calls | 4.1 (CIS AWS v1.5.0), 4.1 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_unauthorized_api_calls` | | Ensure a log metric filter and alarm exist for VPC changes | 4.14 (CIS AWS v1.5.0), 4.14 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_logmetric_vpc_changes` | | Ensure that unused Network Access Control Lists are removed | EC2.16 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_networking_acl_assosiations` | | Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | EC2.21 (AWS FSBP), 5.1 (CIS AWS v1.5.0), 5.1 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_networking_acl_ingress` | | Ensure that the VPC default security group does not allow inbound and outbound traffic | EC2.2 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_networking_default_sg_restriction` | | Ensure that the default stateless action for Network Firewall policies is drop or forward for full packets | NetworkFirewall.4 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_networking_fp_stateless_action` | | Ensure that the default stateless action for Network Firewall policies is drop or forward for fragmented packets | NetworkFirewall.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_networking_fp_stateless_fragment_action` | | Ensure that Stateless Network Firewall rule group is not empty | NetworkFirewall.6 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_networking_frg_rules` | | Ensure the default security group restricts all traffic | 5.4 (CIS AWS v1.5.0), 5.4 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_networking_sg_baseline` | | Ensure that security groups only allow unrestricted incoming traffic for authorized ports | EC2.18 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_rules` | | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | 5.2 (CIS AWS v1.5.0), 5.2 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4` | | Ensure no security groups allow ingress from ::/0 to remote server administration ports | 5.3 (CIS AWS v1.5.0), 5.3 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v6` | | Ensure that EC2 subnets does not automatically assign public IP addresses | EC2.15 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_networking_subnet_public_ip` | | Ensure that Transit Gateways do not automatically accept VPC attachment requests | EC2.23 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_networking_transit_gateway_auto_vpc_attachment` | | Ensure AWS VPC flow logging is enabled | EC2.6 (AWS FSBP), 3.9 (CIS AWS v1.5.0), 3.7 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging` | | Ensure that Both VPN tunnels for an AWS Site-to-Site VPN connection are up | EC2.20 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_networking_vpn_tunnels_state` | | Ensure that RDS clusters use a custom administrator username | RDS.24 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_rds_cluster_administrator_username` | | Ensure that RDS DB clusters are configured with multiple Availability Zones | RDS.15 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_rds_cluster_availability_zone` | | Ensure that Amazon Aurora clusters have backtracking enabled | RDS.14 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_rds_cluster_backtracking` | | Ensure that RDS DB clusters should be configured to copy tags to snapshots | RDS.16 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_rds_cluster_copy_tags_to_snapshots` | | Ensure that RDS clusters have deletion protection enabled | RDS.7 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_rds_cluster_deletion_protection` | | Ensure that IAM authentication is configured for RDS clusters | RDS.12 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_cluster_iam_authentication` | | Ensure that RDS instances and clusters do not use a database engine default port | RDS.23 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_default_port_usage` | | Ensure that public access is not given to RDS instances | RDS.2 (AWS FSBP), 2.3.3 (CIS AWS v1.5.0), 2.3.3 (CIS AWS v3.0.0) | High | `decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility` | | Ensure that RDS Database instances use a custom administrator username | RDS.25 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_rds_instance_administrator_username` | | Ensure auto minor version upgrade feature is enabled for RDS instances | RDS.13 (AWS FSBP), 2.3.2 (CIS AWS v1.5.0), 2.3.2 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade` | | Ensure that RDS instances have automatic backups enabled | RDS.11 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_instance_automatic_backup` | | Ensure that RDS DB instances are configured with multiple Availability Zones | RDS.5 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_rds_instance_availability_zone` | | Ensure that RDS DB instances should be configured to copy tags to snapshots | RDS.17 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_rds_instance_copy_tags_to_snapshots` | | Ensure that RDS DB instances have deletion protection enabled | RDS.8 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_rds_instance_deletion_protection` | | Ensure encryption is enabled for RDS instances | RDS.3 (AWS FSBP), 2.3.1 (CIS AWS v1.5.0), 2.3.1 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_rds_instance_encryption` | | Ensure that enhanced monitoring is configured for RDS DB instances | RDS.6 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_rds_instance_enhanced_monitoring` | | Ensure that IAM authentication is configured for RDS instances | RDS.10 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_instance_iam_authentication` | | Ensure that Database logging is enabled | RDS.9 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_rds_instance_logging` | | Ensure that RDS instances are deployed in a VPC | RDS.18 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_rds_instance_vpc` | | Ensure that RDS snapshot is private | RDS.1 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_rds_snapshot_accessibility` | | Ensure that RDS cluster snapshots and database snapshots should be encrypted at rest | RDS.4 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_snapshot_encryption` | | Ensure that an RDS event notifications subscription is configured for critical database parameter group events | RDS.21 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_subscription_parameter_group_event` | | Ensure that an RDS event notifications subscription is configured for critical database security group events | RDS.22 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_rds_subscription_security_group_event` | | Ensure that S3 Block Public Access setting is enabled | S3.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_account_public_access_block` | | Ensure access logging is enabled for important S3 buckets | S3.9 (AWS FSBP), 3.6 (CIS AWS v1.5.0), 3.4 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging` | | Ensure that S3 permissions granted to other AWS accounts in bucket policies are restricted | S3.6 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_account_permission` | | Ensure that S3 access control lists (ACLs) are not used | S3.12 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_acl` | | Ensure that S3 buckets have cross-region replication enabled | S3.7 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_cross_region_replication` | | Ensure all S3 buckets are encrypted | S3.4 (AWS FSBP), 2.1.1 (CIS AWS v1.5.0) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption` | | Ensure that S3 buckets have event notifications enabled | S3.11 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_s3_bucket_event_notifications` | | Ensure that S3 buckets are encrypted at rest with AWS KMS keys | S3.17 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_kms_encryption` | | Ensure that S3 buckets have lifecycle policies configured | S3.13 (AWS FSBP) | Info | `decision.api.shisho.dev/v1beta:aws_s3_bucket_lifecycle_policy` | | Ensure MFA Delete is enabled on S3 buckets | 2.1.3 (CIS AWS v1.5.0), 2.1.3 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_mfa_delete` | | Ensure that S3 buckets are configured to use Object Lock | S3.15 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_object_lock` | | Ensure S3 buckets enabled block public access feature | S3.8 (AWS FSBP), 2.1.5 (CIS AWS v1.5.0), 2.1.4 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block` | | Ensure S3 buckets prohibit public read access | S3.2 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_s3_bucket_public_read_access` | | Ensure S3 buckets prohibit public write access | S3.3 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_s3_bucket_public_write_access` | | Ensure CloudTrail trails are logging S3 bucket read events | 3.11 (CIS AWS v1.5.0), 3.9 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_read_trail` | | Ensure S3 buckets deny HTTP requests | 2.1.2 (CIS AWS v1.5.0), 2.1.1 (CIS AWS v3.0.0) | Medium | `decision.api.shisho.dev/v1beta:aws_s3_bucket_transport` | | Ensure that S3 buckets should use versioning | S3.14 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_versioning` | | Ensure that S3 buckets with versioning enabled have lifecycle policies configured | S3.10 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_versioning_lifecycle_policy` | | Ensure CloudTrail trails are logging S3 bucket data write events | 3.10 (CIS AWS v1.5.0), 3.8 (CIS AWS v3.0.0) | Low | `decision.api.shisho.dev/v1beta:aws_s3_bucket_write_trail` | | Ensure that Secrets Manager secrets have automatic rotation enabled | SecretsManager.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation` | | Ensure that Secrets Manager secrets configured with automatic rotation rotate successfully | SecretsManager.2 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation_state` | | Ensure that Secrets Manager secrets are rotated within a specified number of days | SecretsManager.4 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_secretsmanager_rotation_interval` | | Ensure that unused Secrets Manager secrets are removed | SecretsManager.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_secretsmanager_secret_usage` | | Ensure AWS Security Hub is enabled | 4.16 (CIS AWS v1.5.0), 4.16 (CIS AWS v3.0.0) | Info | `decision.api.shisho.dev/v1beta:aws_securityhub_usage` | | Ensure that SNS topics are encrypted | SNS.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_sns_kms_encryption` | | Ensure that Amazon SQS queues are encrypted | SQS.1 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_sqs_encryption` | | Ensure that EC2 instances managed by Systems Manager have an association compliance status of COMPLIANT | SSM.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_ssm_association_compliance` | | Ensure that SSM documents are not public | SSM.4 (AWS FSBP) | Critical | `decision.api.shisho.dev/v1beta:aws_ssm_document_accessibility` | | Ensure that EC2 instances are managed by AWS Systems Manager | SSM.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_ssm_managed_instances` | | Ensure that EC2 instances managed by Systems Manager have a patch compliance status of COMPLIANT after a patch installation | SSM.2 (AWS FSBP) | High | `decision.api.shisho.dev/v1beta:aws_ssm_patch_compliance` | | Ensure that a WAF Classic rule has at least one condition | WAF.2 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_waf_classic_rule_condition` | | Ensure that a WAF Classic rule group has at least one rule | WAF.3 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_waf_classic_rule_group_attached_rules` | | Ensure that AWS WAF Classic Global Web ACL logging is enabled | WAF.1 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_logging` | | Ensure that a WAF Classic Web ACL has at least one rule or rule group | WAF.4 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_rules` | | Ensure that AWS WAFv2 web ACL logging is activated | WAF.11 (AWS FSBP) | Medium | `decision.api.shisho.dev/v1beta:aws_waf_web_acl_logging` | | Ensure that a WAFv2 web ACL has at least one rule or rule group | WAF.10 (AWS FSBP) | Low | `decision.api.shisho.dev/v1beta:aws_waf_web_acl_rules` |