Managed Security Review for AWS Foundational Security Best Practices (FSBP)
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on AWS Foundational Security Best Practices (FSBP) provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
info
This page doesn't include review items included in Managed Security Review for CIS AWS Foundations Benchmark v1.5.0 now.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure that ACM certificates should be renewed before expiry | ACM.1 | High | decision.api.shisho.dev/v1beta:aws_acm_certificate_expiry |
| Ensure that ACM RSA certificates use allowed key algorithms | ACM.2 | Medium | decision.api.shisho.dev/v1beta:aws_acm_certificate_key_algorithm |
| Ensure that logging for API Gateway REST and WebSocket API is enabled | APIGateway.1 | Medium | decision.api.shisho.dev/v1beta:aws_apigateway_logging |
| Ensure that access to API Gateway backends use client certificates | APIGateway.2 | High | decision.api.shisho.dev/v1beta:aws_apigateway_ssl_certificates |
| Ensure that AWS X-Ray tracing for API Gateway is enabled | APIGateway.3 | Info | decision.api.shisho.dev/v1beta:aws_apigateway_xray_tracing |
| Ensure that API Gateway is associated with a WAF Web ACL | APIGateway.4 | Info | decision.api.shisho.dev/v1beta:aws_apigateway_waf_web_acl |
| Ensure that API Gateway REST API cache data is encrypted at rest | APIGateway.5 | Info | decision.api.shisho.dev/v1beta:aws_apigateway_cache_encryption |
| Ensure that API Gateway routes or backends have proper authentication | APIGateway.8 | High | decision.api.shisho.dev/v1beta:aws_apigateway_route_auth |
| Ensure that access logging should be configured for API Gateway V2 Stages | APIGateway.9 | Medium | decision.api.shisho.dev/v1beta:aws_apigateway_access_logging |
| Ensure that security contact information is registered to AWS accounts | Account.1 | Info | decision.api.shisho.dev/v1beta:aws_iam_account_alternate_contact |
| Ensure that Auto Scaling groups associated with a Classic Load Balancer use load balancer health checks | AutoScaling.1 | Low | decision.api.shisho.dev/v1beta:aws_autoscaling_group_lb_health_check |
| Ensure that Auto Scaling groups cover multiple Availability Zones | AutoScaling.2 | Low | decision.api.shisho.dev/v1beta:aws_autoscaling_group_availability_zones |
| Ensure that Auto Scaling groups require IMDSv2 | AutoScaling.3 | Medium | decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_imdsv2 |
| Ensure that Auto Scaling group launch configuration do not have a metadata response hop limit greater than 1 | AutoScaling.4 | Medium | decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_response_hop_limit |
| Ensure that EC2 instances do not have Public IP addresses | AutoScaling.5 | Medium | decision.api.shisho.dev/v1beta:aws_autoscaling_launch_configuration_public_ip |
| Ensure that Auto Scaling groups use multiple instance types in multiple Availability Zones | AutoScaling.6 | Low | decision.api.shisho.dev/v1beta:aws_autoscaling_group_instance_types |
| Ensure that Auto Scaling groups use EC2 launch templates | AutoScaling.9 | Info | decision.api.shisho.dev/v1beta:aws_autoscaling_group_launch_template |
| Ensure that events on CloudFormation stacks are integrated with a SNS topic | CloudFormation.1 | Info | decision.api.shisho.dev/v1beta:aws_cloudformation_stack_sns |
| Ensure CloudFront distributions have a default root object | CloudFront.1 | Critical | decision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object |
| Ensure that connections to CloudFront distributions are forced to use HTTPS | CloudFront.3 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_transport |
| Ensure that CloudFront distributions should have origin failover configured | CloudFront.4 | Low | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_failover |
| Ensure CloudFront distributions have an active logging bucket | CloudFront.5 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_logging |
| Ensure that CloudFront distributions have WAF enabled | CloudFront.6 | Low | decision.api.shisho.dev/v1beta:aws_cloudfront_waf |
| Ensure that CloudFront distributions use custom SSL/TLS certificates | CloudFront.7 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_default_certificate |
| Ensure that CloudFront distributions use SNI to serve HTTPS requests | CloudFront.8 | Info | decision.api.shisho.dev/v1beta:aws_cloudfront_sni |
| Ensure that connections to CloudFront distribution origins are forced to use HTTPS | CloudFront.9 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport |
| Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocols | CloudFront.10 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version |
| Ensure that CloudFront distributions point to existent S3 origins | CloudFront.12 | High | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_s3_bucket_existence |
| Ensure CloudFront distributions with S3 backends use origin access control enabled | CloudFront.13 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control |
| Ensure CloudTrail is enabled in all regions | CloudTrail.1 | High | decision.api.shisho.dev/v1beta:aws_cloudtrail_usage |
| Ensure CloudTrail logs are encrypted at rest using KMS CMKs | CloudTrail.2 | Low | decision.api.shisho.dev/v1beta:aws_cloudtrail_cmk_encryption |
| Ensure CloudTrail trails are integrated with CloudWatch Logs | CloudTrail.5 | Info | decision.api.shisho.dev/v1beta:aws_cloudtrail_cloudwatch_logs_integration |
| Ensure that CodeBuild Bitbucket source repository URLs do not include credentials | CodeBuild.1 | High | decision.api.shisho.dev/v1beta:aws_codebuild_project_source_repository_credential |
| Ensure that CodeBuild project environment variables do not contain clear text AWS credentials | CodeBuild.2 | High | decision.api.shisho.dev/v1beta:aws_codebuild_project_env_variables |
| Ensure that CodeBuild projects are configured to encrypt S3 logs | CodeBuild.3 | Low | decision.api.shisho.dev/v1beta:aws_codebuild_project_s3_logs_encryption |
| Ensure that CodeBuild project environments have a logging AWS Configuration | CodeBuild.4 | Low | decision.api.shisho.dev/v1beta:aws_codebuild_project_logging_status |
| Ensure that CodeBuild project environments do not have privileged mode enabled | CodeBuild.5 | Medium | decision.api.shisho.dev/v1beta:aws_codebuild_project_env_privileged_mode |
| Ensure AWS Config is enabled in all regions | Config.1 | Info | decision.api.shisho.dev/v1beta:aws_config_recorder_status |
| Ensure that DynamoDB tables use auto scaling | DynamoDB.1 | Low | decision.api.shisho.dev/v1beta:aws_dynamodb_table_scale_capacity |
| Ensure that DynamoDB tables have point-in-time recovery enabled | DynamoDB.2 | Medium | decision.api.shisho.dev/v1beta:aws_dynamodb_table_point_in_time_recovery |
| Ensure that DynamoDB Accelerator clusters should be encrypted at rest | DynamoDB.3 | Low | decision.api.shisho.dev/v1beta:aws_dax_cluster_encryption |
| Ensure that Amazon EBS snapshots are not publicly restorable | EC2.1 | Critical | decision.api.shisho.dev/v1beta:aws_ebs_snapshot_publicly_restorable |
| Ensure that the VPC default security group does not allow inbound and outbound traffic | EC2.2 | Info | decision.api.shisho.dev/v1beta:aws_networking_default_sg_restriction |
| Ensure that attached Amazon EBS volumes are encrypted at-rest | EC2.3 | Low | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption |
| Ensure that stopped EC2 instances are removed | EC2.4 | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_state |
| Ensure AWS VPC flow logging is enabled | EC2.6 | Medium | decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging |
| Ensure EBS volume encryption is enabled in all regions | EC2.7 | Low | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline |
| Ensure that EC2 instances use Instance Metadata Service Version 2 (IMDSv2) | EC2.8 | High | decision.api.shisho.dev/v1beta:aws_ec2_instance_imdsv2 |
| Ensure that EC2 instances do not have a public IPv4 address | EC2.9 | Medium | decision.api.shisho.dev/v1beta:aws_ec2_instance_public_ip_address |
| Ensure that EC2 is configured to use VPC endpoints to connect EC2 API | EC2.10 | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_vpc_endpoint |
| Ensure that EC2 subnets does not automatically assign public IP addresses | EC2.15 | Medium | decision.api.shisho.dev/v1beta:aws_networking_subnet_public_ip |
| Ensure that unused Network Access Control Lists are removed | EC2.16 | Low | decision.api.shisho.dev/v1beta:aws_networking_acl_assosiations |
| Ensure that EC2 instances do not use multiple ENIs | EC2.17 | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_network_interface |
| Ensure that security groups only allow unrestricted incoming traffic for authorized ports | EC2.18 | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_rules |
| Ensure that Both VPN tunnels for an AWS Site-to-Site VPN connection are up | EC2.20 | High | decision.api.shisho.dev/v1beta:aws_networking_vpn_tunnels_state |
| Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | EC2.21 | High | decision.api.shisho.dev/v1beta:aws_networking_acl_ingress |
| Ensure that Transit Gateways do not automatically accept VPC attachment requests | EC2.23 | Medium | decision.api.shisho.dev/v1beta:aws_networking_transit_gateway_auto_vpc_attachment |
| Ensure that EC2 paravirtual instance types are not used | EC2.24 | Info | decision.api.shisho.dev/v1beta:aws_ec2_instance_virtualization |
| Ensure that EC2 launch templates do not assign public IPs to network interfaces | EC2.25 | Medium | decision.api.shisho.dev/v1beta:aws_ec2_launch_template_public_ip_address |
| Ensure that ECR private repositories have image scanning configured | ECR.1 | Low | decision.api.shisho.dev/v1beta:aws_ecr_repository_image_scan_config |
| Ensure that ECR private repositories have tag immutability configured | ECR.2 | Medium | decision.api.shisho.dev/v1beta:aws_ecr_repository_tag_immutability |
| Ensure that ECR repositories have at least one lifecycle policy configured | ECR.3 | Low | decision.api.shisho.dev/v1beta:aws_ecr_repository_lifecycle_policy_config |
| Ensure that ECS task definitions have secure networking modes | ECS.1 | High | decision.api.shisho.dev/v1beta:aws_ecs_task_networking_mode |
| Ensure public IP addresses are not assigned to ECS services automatically | ECS.2 | High | decision.api.shisho.dev/v1beta:aws_ecs_service_public_ip |
| Ensure that ECS task definitions do not share the host's process namespace | ECS.3 | High | decision.api.shisho.dev/v1beta:aws_ecs_task_process_namespace |
| Ensure ECS containers run as non-privileged | ECS.4 | High | decision.api.shisho.dev/v1beta:aws_ecs_container_privilege |
| Ensure root filesystem operation by ECS containers is limited to read-only access | ECS.5 | Low | decision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission |
| Ensure that secrets do not be passed as container environment variables | ECS.8 | Medium | decision.api.shisho.dev/v1beta:aws_ecs_container_environment_variables |
| Ensure that ECS Fargate services run on proper Fargate platform versions | ECS.10 | Low | decision.api.shisho.dev/v1beta:aws_ecs_task_fargate_version |
| Ensure that ECS clusters use Container Insights | ECS.12 | Info | decision.api.shisho.dev/v1beta:aws_ecs_cluster_container_insights |
| Ensure EFS file systems are encrypted | EFS.1 | Medium | decision.api.shisho.dev/v1beta:aws_efs_volume_encryption |
| Ensure that Amazon EFS volumes are in backup plans | EFS.2 | Low | decision.api.shisho.dev/v1beta:aws_efs_volume_backup_plan |
| Ensure that EFS access points have a root directory except for / | EFS.3 | Low | decision.api.shisho.dev/v1beta:aws_efs_access_point_root_directory |
| Ensure that EFS access points enforce a user identity | EFS.4 | Medium | decision.api.shisho.dev/v1beta:aws_efs_access_point_user_identity |
| Ensure that access to EKS cluster endpoints is restricted | EKS.1 | High | decision.api.shisho.dev/v1beta:aws_eks_public_access |
| Ensure that audit logging for EKS clusters is enabled | EKS.8 | Medium | decision.api.shisho.dev/v1beta:aws_eks_audit_logging |
| Ensure Application Load Balancers redirect all HTTP requests to HTTPS | ELB.1 | Low | decision.api.shisho.dev/v1beta:aws_alb_https_redirection |
| Ensure Application Load Balancers drop invalid HTTP headers | ELB.4 | Low | decision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling |
| Ensure Application Load Balancers have an active logging bucket | ELB.5 | Medium | decision.api.shisho.dev/v1beta:aws_alb_logging |
| Ensure Application Load Balancer deletion protection is enabled | ELB.6 | Low | decision.api.shisho.dev/v1beta:aws_alb_delete_protection |
| Ensure Application Load Balancers mitigate HTTP desync attacks | ELB.12 | Medium | decision.api.shisho.dev/v1beta:aws_alb_desync_mitigation |
| Ensure that AWS Load Balancers span multiple Availability Zones | ELB.13 | Low | decision.api.shisho.dev/v1beta:aws_elb_availability_zones |
| Ensure that GuardDuty is enabled | GuardDuty.1 | Medium | decision.api.shisho.dev/v1beta:aws_guardduty_status |
| Ensure IAM policies that allow full administrative privileges are not attached | IAM.1 | Critical | decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation |
| Ensure IAM users receive permissions only through groups | IAM.2 | Low | decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment |
| Ensure AWS IAM access keys are rotated per pre-defined time window | IAM.3 | Medium | decision.api.shisho.dev/v1beta:aws_iam_key_rotation |
| Ensure the AWS root user does not have access keys | IAM.4 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_key |
| Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IAM.5 | High | decision.api.shisho.dev/v1beta:aws_iam_user_mfa |
| Ensure Hardware MFA is enabled for the root user account | IAM.6 | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa |
| Ensure credentials unused for specific days are disabled | IAM.8 | High | decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory |
| Ensure that IAM policies that you create do not use wildcard actions | IAM.21 | Low | decision.api.shisho.dev/v1beta:aws_iam_policy_service_limitation |
| Ensure that IAM customer managed policies do not allow decryption actions on all KMS keys | KMS.1 | Medium | decision.api.shisho.dev/v1beta:aws_kms_key_iam_policies |
| Ensure that AWS KMS keys are not deleted unintentionally | KMS.3 | Critical | decision.api.shisho.dev/v1beta:aws_kms_key_deletion |
| Ensure that Kinesis streams should be encrypted at rest | Kinesis.1 | Low | decision.api.shisho.dev/v1beta:aws_kinesis_stream_encryption |
| Ensure that Lambda functions are publicly accessible only if they are allowed | Lambda.1 | Critical | decision.api.shisho.dev/v1beta:aws_lambda_public_access |
| Ensure that Lambda functions use newer runtimes | Lambda.2 | Low | decision.api.shisho.dev/v1beta:aws_lambda_runtime |
| Ensure that VPC Lambda functions operate in more than one Availability Zone | Lambda.5 | Medium | decision.api.shisho.dev/v1beta:aws_lambda_vpc_availability_zone |
| Ensure that the default stateless action for Network Firewall policies is drop or forward for full packets | NetworkFirewall.4 | Medium | decision.api.shisho.dev/v1beta:aws_networking_fp_stateless_action |
| Ensure that the default stateless action for Network Firewall policies is drop or forward for fragmented packets | NetworkFirewall.5 | Medium | decision.api.shisho.dev/v1beta:aws_networking_fp_stateless_fragment_action |
| Ensure that Stateless Network Firewall rule group is not empty | NetworkFirewall.6 | Medium | decision.api.shisho.dev/v1beta:aws_networking_frg_rules |
| Ensure CloudTrail log file validation is enabled | PCI.CloudTrail.4 | Medium | decision.api.shisho.dev/v1beta:aws_cloudtrail_log_file_validation |
| Ensure that RDS snapshot is private | RDS.1 | Critical | decision.api.shisho.dev/v1beta:aws_rds_snapshot_accessibility |
| Ensure that public access is not given to RDS instances | RDS.2 | High | decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility |
| Ensure encryption is enabled for RDS instances | RDS.3 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_encryption |
| Ensure that RDS cluster snapshots and database snapshots should be encrypted at rest | RDS.4 | Low | decision.api.shisho.dev/v1beta:aws_rds_snapshot_encryption |
| Ensure that RDS DB instances are configured with multiple Availability Zones | RDS.5 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_availability_zone |
| Ensure that enhanced monitoring is configured for RDS DB instances | RDS.6 | Info | decision.api.shisho.dev/v1beta:aws_rds_instance_enhanced_monitoring |
| Ensure that RDS clusters have deletion protection enabled | RDS.7 | High | decision.api.shisho.dev/v1beta:aws_rds_cluster_deletion_protection |
| Ensure that RDS DB instances have deletion protection enabled | RDS.8 | High | decision.api.shisho.dev/v1beta:aws_rds_instance_deletion_protection |
| Ensure that Database logging is enabled | RDS.9 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_logging |
| Ensure that IAM authentication is configured for RDS instances | RDS.10 | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_iam_authentication |
| Ensure that RDS instances have automatic backups enabled | RDS.11 | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_automatic_backup |
| Ensure that IAM authentication is configured for RDS clusters | RDS.12 | Low | decision.api.shisho.dev/v1beta:aws_rds_cluster_iam_authentication |
| Ensure auto minor version upgrade feature is enabled for RDS instances | RDS.13 | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade |
| Ensure that Amazon Aurora clusters have backtracking enabled | RDS.14 | Info | decision.api.shisho.dev/v1beta:aws_rds_cluster_backtracking |
| Ensure that RDS DB clusters are configured with multiple Availability Zones | RDS.15 | Info | decision.api.shisho.dev/v1beta:aws_rds_cluster_availability_zone |
| Ensure that RDS DB clusters should be configured to copy tags to snapshots | RDS.16 | Info | decision.api.shisho.dev/v1beta:aws_rds_cluster_copy_tags_to_snapshots |
| Ensure that RDS DB instances should be configured to copy tags to snapshots | RDS.17 | Info | decision.api.shisho.dev/v1beta:aws_rds_instance_copy_tags_to_snapshots |
| Ensure that RDS instances are deployed in a VPC | RDS.18 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_vpc |
| Ensure that an RDS event notifications subscription is configured for critical database parameter group events | RDS.21 | Low | decision.api.shisho.dev/v1beta:aws_rds_subscription_parameter_group_event |
| Ensure that an RDS event notifications subscription is configured for critical database security group events | RDS.22 | Low | decision.api.shisho.dev/v1beta:aws_rds_subscription_security_group_event |
| Ensure that RDS instances and clusters do not use a database engine default port | RDS.23 | Low | decision.api.shisho.dev/v1beta:aws_rds_default_port_usage |
| Ensure that RDS clusters use a custom administrator username | RDS.24 | Medium | decision.api.shisho.dev/v1beta:aws_rds_cluster_administrator_username |
| Ensure that RDS Database instances use a custom administrator username | RDS.25 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_administrator_username |
| Ensure that S3 Block Public Access setting is enabled | S3.1 | Medium | decision.api.shisho.dev/v1beta:aws_s3_account_public_access_block |
| Ensure S3 buckets prohibit public read access | S3.2 | Critical | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_read_access |
| Ensure S3 buckets prohibit public write access | S3.3 | Critical | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_write_access |
| Ensure all S3 buckets are encrypted | S3.4 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption |
| Ensure that S3 permissions granted to other AWS accounts in bucket policies are restricted | S3.6 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_account_permission |
| Ensure that S3 buckets have cross-region replication enabled | S3.7 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_cross_region_replication |
| Ensure S3 buckets enabled block public access feature | S3.8 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block |
| Ensure access logging is enabled for important S3 buckets | S3.9 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging |
| Ensure that S3 buckets with versioning enabled have lifecycle policies configured | S3.10 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_versioning_lifecycle_policy |
| Ensure that S3 buckets have event notifications enabled | S3.11 | Info | decision.api.shisho.dev/v1beta:aws_s3_bucket_event_notifications |
| Ensure that S3 access control lists (ACLs) are not used | S3.12 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_acl |
| Ensure that S3 buckets have lifecycle policies configured | S3.13 | Info | decision.api.shisho.dev/v1beta:aws_s3_bucket_lifecycle_policy |
| Ensure that S3 buckets should use versioning | S3.14 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_versioning |
| Ensure that S3 buckets are configured to use Object Lock | S3.15 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_object_lock |
| Ensure that S3 buckets are encrypted at rest with AWS KMS keys | S3.17 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_kms_encryption |
| Ensure that SNS topics are encrypted | SNS.1 | Low | decision.api.shisho.dev/v1beta:aws_sns_kms_encryption |
| Ensure that Amazon SQS queues are encrypted | SQS.1 | Low | decision.api.shisho.dev/v1beta:aws_sqs_encryption |
| Ensure that EC2 instances are managed by AWS Systems Manager | SSM.1 | Medium | decision.api.shisho.dev/v1beta:aws_ssm_managed_instances |
| Ensure that EC2 instances managed by Systems Manager have a patch compliance status of COMPLIANT after a patch installation | SSM.2 | High | decision.api.shisho.dev/v1beta:aws_ssm_patch_compliance |
| Ensure that EC2 instances managed by Systems Manager have an association compliance status of COMPLIANT | SSM.3 | Low | decision.api.shisho.dev/v1beta:aws_ssm_association_compliance |
| Ensure that SSM documents are not public | SSM.4 | Critical | decision.api.shisho.dev/v1beta:aws_ssm_document_accessibility |
| Ensure that Secrets Manager secrets have automatic rotation enabled | SecretsManager.1 | Medium | decision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation |
| Ensure that Secrets Manager secrets configured with automatic rotation rotate successfully | SecretsManager.2 | Medium | decision.api.shisho.dev/v1beta:aws_secretsmanager_auto_rotation_state |
| Ensure that unused Secrets Manager secrets are removed | SecretsManager.3 | Low | decision.api.shisho.dev/v1beta:aws_secretsmanager_secret_usage |
| Ensure that Secrets Manager secrets are rotated within a specified number of days | SecretsManager.4 | Medium | decision.api.shisho.dev/v1beta:aws_secretsmanager_rotation_interval |
| Ensure that AWS WAF Classic Global Web ACL logging is enabled | WAF.1 | Medium | decision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_logging |
| Ensure that a WAF Classic rule has at least one condition | WAF.2 | Low | decision.api.shisho.dev/v1beta:aws_waf_classic_rule_condition |
| Ensure that a WAF Classic rule group has at least one rule | WAF.3 | Low | decision.api.shisho.dev/v1beta:aws_waf_classic_rule_group_attached_rules |
| Ensure that a WAF Classic Web ACL has at least one rule or rule group | WAF.4 | Low | decision.api.shisho.dev/v1beta:aws_waf_classic_web_acl_rules |
| Ensure that a WAFv2 web ACL has at least one rule or rule group | WAF.10 | Low | decision.api.shisho.dev/v1beta:aws_waf_web_acl_rules |
| Ensure that AWS WAFv2 web ACL logging is activated | WAF.11 | Medium | decision.api.shisho.dev/v1beta:aws_waf_web_acl_logging |