Managed Security Review for AWS Foundational Security Best Practices (FSBP)
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page explains managed security reviews on AWS Foundational Security Best Practices (FSBP) provided by Flatt Security. Note that Flatt Security may provide more policies than ones described here, depending on your support plans.
info
This page doesn't include review items included in Managed Security Review for CIS AWS Foundations Benchmark v1.5.0 now.
To use managed security reviews
By applying Shisho Cloud workflows to your organization, you'll see security review results soon:
All managed review items
| Title | Item in Standard | Default Severity | ID in Shisho Cloud |
|---|---|---|---|
| Ensure CloudFront distributions have a default root object | CloudFront.1 | Critical | decision.api.shisho.dev/v1beta:aws_cloudfront_default_root_object |
| Ensure that connections to CloudFront distributions are forced to use HTTPS | CloudFront.3 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_transport |
| Ensure CloudFront distributions have an active logging bucket | CloudFront.5 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_logging |
| Ensure that connections to CloudFront distribution origins are forced to use HTTPS | CloudFront.9 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport |
| Ensure that HTTPS connections to CloudFront distribution origins use secure SSL/TLS protocols | CloudFront.10 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_transport_version |
| Ensure CloudFront distributions with S3 backends use origin access control enabled | CloudFront.13 | Medium | decision.api.shisho.dev/v1beta:aws_cloudfront_origin_access_control |
| Ensure AWS VPC flow logging is enabled | EC2.6 | Medium | decision.api.shisho.dev/v1beta:aws_networking_vpc_flow_logging |
| Ensure EBS volume encryption is enabled in all regions | EC2.7 | Medium | decision.api.shisho.dev/v1beta:aws_ebs_volume_encryption_baseline |
| Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | EC2.14 | High | decision.api.shisho.dev/v1beta:aws_networking_sg_ingress_v4 |
| Ensure no network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | EC2.21 | High | decision.api.shisho.dev/v1beta:aws_networking_acl_ingress |
| Ensure public IP addresses are not assigned to ECS services automatically | ECS.2 | High | decision.api.shisho.dev/v1beta:aws_ecs_service_public_ip |
| Ensure ECS containers run as non-privileged | ECS.4 | High | decision.api.shisho.dev/v1beta:aws_ecs_container_privilege |
| Ensure root filesystem operation by ECS containers is limited to read-only access | ECS.5 | Low | decision.api.shisho.dev/v1beta:aws_ecs_container_fs_permission |
| Ensure Application Load Balancers drop invalid HTTP headers | ELB.4 | Low | decision.api.shisho.dev/v1beta:aws_alb_invalid_header_handling |
| Ensure Application Load Balancers have an active logging bucket | ELB.5 | Medium | decision.api.shisho.dev/v1beta:aws_alb_logging |
| Ensure Application Load Balancer deletion protection is enabled | ELB.6 | Low | decision.api.shisho.dev/v1beta:aws_alb_delete_protection |
| Ensure Application Load Balancers mitigate HTTP desync attacks | ELB.12 | Medium | decision.api.shisho.dev/v1beta:aws_alb_desync_mitigation |
| Ensure IAM policies that allow full administrative privileges are not attached | IAM.1 | Critical | decision.api.shisho.dev/v1beta:aws_iam_administrative_policy_limitation |
| Ensure IAM users receive permissions only through groups | IAM.2 | Low | decision.api.shisho.dev/v1beta:aws_iam_user_group_permission_assignment |
| Ensure AWS IAM access keys are rotated per pre-defined time window | IAM.3 | Medium | decision.api.shisho.dev/v1beta:aws_iam_key_rotation |
| Ensure the AWS root user does not have access keys | IAM.4 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_key |
| Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | IAM.5 | High | decision.api.shisho.dev/v1beta:aws_iam_user_mfa |
| Ensure Hardware MFA is enabled for the root user account | IAM.6 | High | decision.api.shisho.dev/v1beta:aws_iam_root_user_hardware_mfa |
| Ensure MFA is enabled for the root user account | IAM.9 | Critical | decision.api.shisho.dev/v1beta:aws_iam_root_user_mfa |
| Ensure IAM password policy requires enough minimum length | IAM.15 | High | decision.api.shisho.dev/v1beta:aws_iam_password_length |
| Ensure IAM password policy prevents password reuse | IAM.16 | High | decision.api.shisho.dev/v1beta:aws_iam_password_reuse |
| Ensure a support role has been created to manage incidents with AWS Support | IAM.18 | Low | decision.api.shisho.dev/v1beta:aws_iam_role_for_support |
| Ensure credentials unused for specific days are disabled | IAM.22 | High | decision.api.shisho.dev/v1beta:aws_iam_credentials_inventory |
| Ensure that public access is not given to RDS instances | RDS.2 | High | decision.api.shisho.dev/v1beta:aws_rds_instance_accessibility |
| Ensure encryption is enabled for RDS instances | RDS.3 | Medium | decision.api.shisho.dev/v1beta:aws_rds_instance_encryption |
| Ensure auto minor version upgrade feature is enabled for RDS instances | RDS.13 | Low | decision.api.shisho.dev/v1beta:aws_rds_instance_auto_upgrade |
| Ensure all S3 buckets are encrypted | S3.4 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_encryption |
| Ensure S3 buckets enabled block public access feature | S3.8 | Medium | decision.api.shisho.dev/v1beta:aws_s3_bucket_public_access_block |
| Ensure access logging is enabled for important S3 buckets | S3.9 | Low | decision.api.shisho.dev/v1beta:aws_s3_bucket_access_logging |